Embotics® vCommander® 5.5 introduces the ability configure Windows session authentication using Active Directory. This is accomplished by creating a Service Principal Account (SPN), which acts as the Secure Token Service (STS) for token issuing.


vCommander Configuration

You must first integrate one or more Active Directories with vCommander. While doing so, note the account used to query the directory, as you will specify it while configuring the SPN later. In the image below, the account is administrator@omega.pv.


Each Active Directory user must be added to vCommander individually, or as a member of an Active Directory group. A vCommander or Service Portal role must be assigned to provide access.


Lastly, you must enable the pass-through authentication:

  1. Under the Configuration menu, choose System Configuration.
  2. Switch to the Authentication tab.
  3. Under the Windows Session Authentication section, click Edit and check the box to enable for vCommander, the Service Portal, or both.



    Important: If the Service Portal Enabled checkbox is disabled, SAML single sign-on is already enabled. It’s not possible to use both SAML SSO and Windows Session Authentication for the Service Portal.

Active Directory Configuration

Next, an administrator must create the SPN on the domain controller.

  1. Log in to the Domain Controller as administrator, and launch a command prompt as administrator.
  2. Issue the following command:

    setspn.exe -A HTTP/{domain name} {domain}\{directory account}


     

    where:

    {domain name } is the domain name, alias or vCommander host nameThis is the name users  enter in their browsers to access vCommander or the Service Portal. If service access has been restricted to a certain network address, be sure to use the restricted address. Where heightened security is important, use the exact host name of the vCommander server instead of the domain  name.

    {domain}\{directory account} is the account used to  integrate Active Directory with vCommander, as noted in the previous  section. Use the format <domain>\user if the account is not in the  same domain as the Active Directory server where you;re issuing the  setspn command (for example, omega.pv\administrator). Otherwise, enter just the user name (for example, administrator).

Repeat this procedure for each connected domain. You must run the  setspn command for each network address that can be used to access  vCommander or the Service Portal (for example, acme.example.com, acmeportal.example.com, and acme).

Browser Configuration

Finally, users’ browsers must be configured to be compatible with the  settings. This functionality will only work on Windows with officially  supported browsers: Firefox, Chrome, and Internet Explorer.

For each domain name or alias where pass-through authentication will be used:

  • Internet Explorer and Chrome: Add the domain name  to the Local Intranet security zone. Both Internet Explorer and Crhome  use the trusted sites list configured in Internet Explorer. In Internet  Explorer, go to Internet Options and select the Security tab. Click Local Intranet and click Sites. In the Local Intranet dialog, click Advanced. Add the website to the zone.


     Where heightened security is important, use the exact host name of the vCommander server instead of the domain name.

  • Internet Explorer and Chrome: Enable Integrated  Windows Authentication. Both Internet Explorer and Chrome use the Internet Options in the Windows Control Panel. This setting requires a computer restart.


  • Firefox: Navigate to the page about:config. Acknowledge the security warning. Double-click network.negotiate-auth.trusted-uris. Add the domain name. Use commas to seperate multiple values.


    Where heightened security is important, use the exact host name of the vCommander server instead of the domain name.


What Do Users See at Login?

If you’ve used VMware’s client applications, you’re already familiar with how this works. Users may log in to vCommander and/or the Service  Portal, or they may enable Use Windows sessions authentication instead.



If a user enables Use Windows session authentication when  Active Directory and/or the browser is not configured correctly, the  message “Unable to login using Windows session authentication” is  displayed, and users are prompted to enter their Windows credentials. Verify that Active Directory is configured properly, and that the browser is configured as detailed above.