vSphere 6.0 Basics – Part 6 – Installing vSphere Authentication Proxy

This is part 6 of the vSphere 6.0 Basics, detailing the installation of vSphere Authentication Proxy on Windows Server 2012 R2.

This is a 6 part series, describing the installation basics of vSphere 6.0:

1. vSphere 6.0 Basics – Part 1 – ESXi Install
2. vSphere 6.0 Basics – Part 2 – vSphere Client Install
3. vSphere 6.0 Basics – Part 3 – vCenter Server Appliance Install
4. vSphere 6.0 Basics – Part 4 – vCenter Server Install with Windows Server 2012 R2
5. vSphere 6.0 Basics – Part 5 – vSphere Update Manager
6. vSphere 6.0 Basics – Part 6 – vSphere Authentication Proxy

UPDATE – WARNING – This post has been constructed using the vSphere 6.0 Release Candidate (RC – Build 2172336), there are significant improvements in the GA code (see comment below), so check the official VMware documentation for guidance.

As in previous versions, the optional vSphere Authentication Proxy is used to allow ESXi hosts to join an Active Directory domain without credentials.  The most common use-case is for AutoDeploy (PXE Boot) with Host Profiles.

Prerequisites

• Functioning vCenter Server 6.0 (Windows Server 2012 R2 install or vCSA)
• Functioning ESXi 6.0 host
• Customised Windows Server 2012 R2 server Operating System (for vSphere 5.5, but applicable to vSphere 6.0 also)
• You have the vSphere Infrastructure Management Release Candidate (RC – Build 2172336) or the General Availability (GA – March 2015) ISO image.

Install the vSphere Authentication Proxy

1. Mount or extract the VIM 6.0 ISO image to the Microsoft Windows Server 2012 R2 system that will be used for the “vSphere Authentication Proxy”.  Note: the Microsoft .NET Framework 3.5 SP1 is required to be installed before you begin, there is an install option built-in, but it requires access to the Internet.  You also need the IIS feature installed with IIS 6 Metabase Compatibility, ISAPI Extensions, IP and Domain Restrictions.
2. Make sure you use a Domain account that has Domain Admin privileges, this is because the installation software creates a Domain account with the required privileges for the Authentication Proxy to function.  Otherwise your installation will fail with the message “Error 29106”.
3. Execute the “autorun.exe” file.
4. In the “VMware vCenter Installer” window, select the “vSphere Authentication Proxy” object under the “VMware vCenter Support Tools” option and press the “Install” button.
5. Select your language (default “English (United States)”) and press “OK”.
6. In the “VMware vSphere Authentication Proxy” window, press “Next”.
7. In the “End User License Agreement” window, accept the licence agreement and select “Next”.
8. In the “Destination Folder” window, change the destination folders if required and then press “Next”.
9. In the “VMware vCenter Server Information” window, enter the vCenter server “Name”, “HTTP Port”, “Username”, “Password” and then press “Next”.
10. Press “Yes” to the “SSL Certificate Trust” message.
11. In the “VMware vSphere Authentication Proxy Identification” window, select the vUM identity and then press “Next”.
12. In the “Ready to Install” window, press “Install”.
13. In the “Completing the Installation Wizard” window, press “Finish”.
14. Open the “IIS Manager” and select the “IP Address and Domain Restrictions” icon.  Press the “Add Allow Entry” and create an “Add Allow Restriction Rule” for the DHCP range being used by the ESXi hosts.
15. Open the vSphere Web Client, under Manage, open the Settings object for the reference host.  In the Authentication Services window, press the “Join Domain” button and enter the AD name under “Domain” and the IP Address of the Authentication Proxy under “Using proxy server”.  Press “OK” and the ESXi host will be added to the Active Directory Domain.