vSphere authentication proxy is a service that is available in every vCenter server. By default, the vSphere authentication proxy service is set to manual and the service is not in a running state. With vSphere authentication proxy you can easily domain join an ESXI host. The vCenter server will serve as a proxy to domain join ESXI hosts. You can even automate this with host profiles that are attached to the cluster/hosts or even in combination with vSphere auto deploy.
Note: vSphere authentication proxy service is by default available in vCenter 6.5 and later. In earlier vSphere versions, VMware vSphere authentication proxy was installed separately. You cannot use vSphere Authentication Proxy in an environment that supports only IPv6.
In this article I will show you how to enable the vSphere authentication proxy, how to perform an domain join task of a ESXI host with the vSphere authentication proxy and how to do this with host profiles.
More info: Using vSphere Authentication Proxy
Table of Contents
Enabling the VMware vSphere Authentication Proxy service
To enable the VMware vSphere Authentication Proxy service, we need to login to vCenter appliance web console by accessing the following url https://vCenter-appliance:5480. In the vCenter appliance web console, click on services in the menu and search for the VMware vSphere Authentication Proxy service as shown below:
Enable the auto start of the VMware vSphere Authentication Proxy service
Unfortunately, the VMware vSphere Authentication Proxy service will not start automatically after a reboot of the vCenter server. To enable the automatic startup of the service, we should configure that in the FLEX GUI of vCenter. I couldn’t find a way to configure that in the HTML GUI. To do so, login to the FLEX GUI of vCenter, click the home icon and select administration.
Click on System Configuration, select the vCenter server in the Nodes view and click on Related Objects to see all the services available on the vCenter server. Select the VMware vSphere Authentication Proxy service in the list, click on Actions and select the Edit Startup Type to configure the automatic start of the service as shown below:
The service has now been set to automatic. To verify this, check the services list and verify that the startup type has been set to automatic for the VMware vSphere Authentication Proxy service as shown below:
Configure the Authentication Proxy
We now have the VMware vSphere Authentication Proxy service started and have set it to start automatically after a restart of the vCenter server. The next step is to configure the Authentication Proxy with the the domain settings of your Active Directory. Click on the vCenter server listed in the host view and select the Authentication proxy under the configure page as shown below:
Note: Make sure you have a valid service account in the Active Directory domain that is able to perform a domain join task. Keep in mind that It is not a best practice to use a domain admin account for this.
How to use VMware vSphere Authentication Proxy
Authentication Services in ESXI
One way to use the VMware vSphere Authentication Proxy is by accessing the Authentication Services in the configure page of an ESXI host. Select the host that you would like to add to the domain from the host view and click on Authentication Services in the configure page. Click on Join Domain and select using proxy server with the IP address of the vCenter server that runs the VMware vSphere Authentication Proxy service.
Create a new host profile or change an existing one with the Active Directory configuration settings. The Active Directory configuration can be found under the Security and Services category and configure the domain name and the IP address of the vCenter server that runs the VMware vSphere Authentication Proxy service as shown below:
Validating the domain join task
After performing one of the ways to domain join an ESXI host, we should verify this in the host configuration view and in the Active Directory of the domain. To verify the authentication services, click on authentication services in the configure view as shown below:
In the previous examples i showed you how to configure VMware vSphere authentication proxy and how to use it. With the use of the authentication proxy the ESXI can be added to the domain without the use of an active directory credential. In combination with host profiles you can automate and simplify the domain join task as well.