vCenter Server two-factor authentication configuration

preview_player
Показать описание
An in depth look at VMware vSphere vCenter Server two-factor authentication configuration using Duo Security. Why do you need to secure your VMware vCenter Server with 2FA? It is simple. Attackers are looking to compromise your vSphere environment and other business-critical infrastructure. By securing your network with multi-factor authentication, specifically two-factor, you will be able to bolster the security of your vSphere login.

While vSphere 7 adds the new identity federation capability in vCenter Server, currently this is only supported with Active Directory Federation Services (ADFS). If you don't currently have ADFS in your environment it can be overkill to setup ADFS just for two-factor authentication for vCenter. Also, you may be running an older vSphere version such as vSphere 6.5 or 6.7.

Using Duo Security and the Duo authentication proxy, you can easily configure two-factor authentication on your vCenter Server and require 2FA for all vCenter Active Directory logins. This is accomplished by proxying all the authentication requests to Active Directory through your Duo authentication proxy.


_____________________________________________________

Introduction to cybersecurity and challenges - 0:00-0:44
Why is two-factor authentication important? - 0:55
Introduction to Duo Security - 1:55
Setting up a new Duo application to protect vCenter - 2:42
Discussion of setting up the Duo proxy appliance - 4:33
Configuring vCenter Server to use the Duo Proxy - 6:40
Testing the login to vCenter Server and two-factor push - 9:32
Concluding discussion on configuring two-factor authentication on vCenter Server - 10:09

Take note of the detailed blog post I have written on the topic here:


Read the VMware vSphere 7 blog post covering the topic of identity federation:


Link to Duo Security:

Duo Proxy documentation:

  1. VirtualizationHowto
  2. 2FA
  3. Duo
  4. authentication
  5. duo security
  6. esxi ransomware
Рекомендации по теме
vCenter Server two-factor 0:10:43

vCenter Server two-factor authentication configuration

VMware vSphere vCenter 0:00:32

VMware vSphere vCenter – Multifactor Mobile Push 2FA authentication

vCenter Authentication: AzureAD/Entra 0:07:30

vCenter Authentication: AzureAD/Entra ID integration | vSphere 8 Update 2

Add Identity Provider 0:04:31

Add Identity Provider to vCenter server 7.0

vSphere 7 – 0:05:31

vSphere 7 – Identity Federation #ADFS #MFA #2FA

VMware vCenter login 0:00:41

VMware vCenter login via Okta

How To Set 0:10:29

How To Set Active Directory User Authentication for vCenter Server

vSphere 7.0 - 0:07:17

vSphere 7.0 - How to Configure LDAPS authentication for vCenter Server (VCSA) 7.0

TAM Lab 066 - 0:40:37

TAM Lab 066 - vSphere 7 with ADFS Authentication

Steps to configure 0:19:07

Steps to configure Enhanced Linked Mode in vSphere7 vCenter Servers - 39

How to integrate 0:13:29

How to integrate AD with vCenter SSO

vCenter Server Logging 0:02:27

vCenter Server Logging configuration - Part1

Connecting vCenter server 0:07:50

Connecting vCenter server applicance using Shell and GUI -06

How to Join 0:24:32

How to Join VMWare vCenter Server or VCSA to Active Directory Domain | VCP7-DCV 2022

Designing vSphere for 0:57:50

Designing vSphere for Security & Compliance

Setup Free 2 0:20:43

Setup Free 2 Factor Authentication For Windows | Duo

Enabling Federated Login 0:03:46

Enabling Federated Login to vCenter for VMware Cloud on AWS

RSA SecurID login 0:00:53

RSA SecurID login to VMware vSphere Web Client 6.0 Update 2

VCP8-DCV 2023 | 0:18:03

VCP8-DCV 2023 | Part-6 | How to Join VMWare vCenter Server/VCSA to Windows Active Directory Domain

Duo 2FA for 0:17:03

Duo 2FA for VMware Unified Access Gateway

2FA Veeam Self 0:01:46

2FA Veeam Self Provisioning

VMware VMUG Webcast 0:56:00

VMware VMUG Webcast - SAML, Single Sign-On & Multi-Factor Authentication Walkthrough Demo & ...

#5 VMware vSphere 0:15:56

#5 VMware vSphere - Setup & Config vCenter

vSphere Plus | 0:21:38

vSphere Plus | vSphere+ | Installation and Configuration of vCenter Cloud Gateway | VMware Cloud

Комментарии
Автор

Thank you so much for making this! Just implemented it and it works flawlessly. If you want to only allow a specific security group in AD access to this server, which causes all other AD logins to fail, make sure you specify the "security_group_dn" field under the ad_client config. One thing that tripped me up was that when I used a specific OU for the search_dn that points to where my admin accounts are, it caused vSphere to fail the AD authentication because my service account was in a different OU. If you want to keep it locked down but still allow it to work with multiple OUs, make your search_dn more broad (I just used the base domain DN) and then specify your security_group_dn.

jason
Автор

Perfect timing! This was uploaded 5 days ago and I found it today - Very useful Thank you very much.

dudelee
Автор

Nice! Thanks for finding a simpler way to implement MFA for vCenter.

johnheintz
Автор

Thank you for sharing this info. I am a DUO admin, and the VMware Team will really appreciate this once we roll it out at our hospital. Appreciate!

sglant
Автор

I absolutely agree with @Joshua Desjardine. This!!! There's so little documentation on it and this has been a major help! We've hit the apex of instructional guides right here, a masterpiece that made this otherwise garbled mess of a process understandable. Thank you very much, you rock!

A quick tip for others that tripped me up:
- While editing the vSphere config, it consistently kept timing out after inputting the primary server URL I knew it was supposed to point to (the DUO Proxy) and figured something was wrong. Turned out to be a simple oversight, as you may receive an additional DUO push when attempting to save the correct configuration.

InSilentNova
Автор

now that was on point. Thank you for video and sharing!

zaur
Автор

haha... Your video is going to get me a pay raise. Thanks.

kevonmanuel
Автор

I tried implementing this, but the credentials passed to the duo proxy seem to be only the credentials used to set up the identity source and not the credentials of the user logging in. Did I set something up wrong?

stanmiller
Автор

Thanks for the video. Didn't work for me, not sure why. The LDAP lookup works, my account is authenticated, but no DUO Push. As an FYI, you can use the authentication proxy server to setup 2FA for pretty much any application that will support LDAP or Radius authentication - I have setup 2FA on quite a few apps - but could not get it working with Vcenter :(

beaubarendt
Автор

THX fot the Video! Sorry, but you should have mentioned that: Guide to Duo Access Gateway end of life 2023. I work in the critical infrastructure sector and for us a pure cloud solution is an absolute no-go. Are there any alternatives?

wildorb
Автор

Very late to this game. I got everything setup and it works, only after I hit "approve" on my app, my browser just spins and then the Duo app pops up again (I approve) and again (I approve) and again (etc.). Any suggestions? My logs are not helping at all.

MagicKits
Автор

I couldn't get this to work. looked at the logs and found i had my LDAP user not being found. In the LDAP setup, you need to enter the DN of theLDP user for exempt OU after you set "exempt_primary_bind" to false. So, if you have no working MFA, but can authenticate with the new ldap from vcenter, make sure to set "exempt_primary_bind" to false. then, you must make certain your ldaps user is exempted from needing to use duo mfa with "exempt_ou_1=" and set your LDAP user's dn.

JeremyMontoya-sjse
Автор

Great video! Thanks for making it. Is there any way to configure the connectivity between vCenter and the duo authentication proxy as LDAPS when you are adding it as a IDP?

prishaildodhia
Автор

Do you know any method to disable the "Use Windows session authentication" option?
The problem here is, when you have installed the Enhanced Authentication Plugin and use Windows Session Authentication to log in, it totally ignores the second factor and you have access to the vCenter. So, a possible answer would be "Don't install the plugin" - But in this case we need to know that a attacker would just use exactly this plugin to get access.

freiherrvongilgenheimb-
Автор

I want to try this, but I have a current AD identity in vcenter for SSO.. It uses integrated windows authentication. It does not allow a second AD identity. Is it OK to delete the current identity source to try this? I assume I can still get into vcenter by using the vsphere.local system domain?

TheOrdonje
Автор

my domain users stopped authenticating after I added that proxy same way you did on VCSA, when I try to login now with domain user it says "Invalid credentials" --so how this method will pass the requests to AD to check on username/password ? I am not sure if I miss anything ? but I was able to add the identity source same way you did in the video, and matched your DUO cfg file

Bosh
Автор

Trying to use the Windows version of the Duo proxy but when adding identify source in VCenter, keep getting message saying "Check the newtork settings and make sure you have network access to the identity source". How does this work if we already have AD as our identifty source or can it?

baboo
Автор

Excellent Video. I have configured my proxy using windows. No errors reported when validating. However, when I log into vSphere, it logs me straight in with no Push from Duo. I changed the port to 636 and as expected my credentials came back as invalid so the Duo Proxy is working. I just cannot get the Duo Push to my phone hence logging me straight in. Any help on this please. Thanks!

asifiqbal-jghb