MicrosoftDocs
diff --git a/‎articles/azure-vmware/configure-external-identity-source-nsx-t.md
Lines changed: 60 additions & 72 deletions b/‎articles/azure-vmware/configure-external-identity-source-nsx-t.md
Lines changed: 60 additions & 72 deletions
@@ -1,120 +1,108 @@
 ---
-title: Configure external identity source for NSX-T Data Center
-description: Learn how to use the Azure VMware Solution to configure an external identity source for NSX-T Data Center.
+title: Set an external identity source for NSX-T Data Center
+description: Learn how to use Azure VMware Solution to set an external identity source for VMware NSX-T Data Center.
 ms.topic: how-to
 ms.service: azure-vmware
 ms.date: 11/06/2023
 ms.custom: engagement-fy23
-
-
 ---
-# Configure an external identity source for NSX-T Data Center
-
-In this article, you will learn how to configure an external identity source for the NSX-T Data Center in an Azure VMware Solution. The NSX-T Data Center can be configured to use an external LDAP directory service to authenticate users, enabling a user to log in using their Active Directory account credentials, or those from a 3rd party LDAP server. The account can then be assigned an NSX-T Data Center Role, like you have with on-premises environments, to provide RBAC for each NSX-T user.
-
-![Screenshot showing NSX-T connectivity to the LDAP (Active Directory) server.](./media/nsxt/azure-vmware-solution-to-ldap-server.jpg)
 
+# Set an external identity source for NSX-T Data Center
 
-## Prerequisites 
+In this article, learn how to set up an external identity source for VMware NSX-T Data Center in an instance of Azure VMware Solution.
 
--	A working connection from your Active Directory network to your Azure VMware Solution private cloud. </br>
--	A network path from your Active Directory server to the management network of Azure VMware solution where NSX-T is deployed. </br>
--	Best practice: Two domain controllers located in Azure in the same region as the Azure VMware Solution SDDC. </br>
--	Active Directory Domain Controller(s) with a valid certificate. The certificate could be issued by an [Active Directory Certificate Services Certificate Authority (CA)](https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx) or a [third-party CA](/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority).
+You can set up NSX-T Data Center to use an external Lightweight Directory Access Protocol (LDAP) directory service to authenticate users. A user can sign in by using their Windows Server Active Directory account credentials or credentials from a third-party LDAP server. Then, the account can be assigned an NSX-T Data Center role, like in an on-premises environment, to provide role-based access for NSX-T Data Center users.
 
+:::image type="content" source="media/nsxt/azure-vmware-solution-to-ldap-server.png" alt-text="Screenshot that shows NSX-T Data Center connectivity to the LDAP Windows Server Active Directory server.":::
 
->[!Note] 
-> Self-sign certificates are not recommended for production environments.
+## Prerequisites
 
-    
--	An account with Administrator permissions</br>
--	The Azure VMware Solution DNS zones and the DNS servers have been correctly deployed. See: [Configure NSX-T Data Center DNS for resolution to your Active Directory Domain and Configure DNS forwarder for Azure VMware Solution](configure-dns-azure-vmware-solution.md)</br>
+- A working connection from your Windows Server Active Directory network to your Azure VMware Solution private cloud.
+- A network path from your Windows Server Active Directory server to the management network of the instance of Azure VMware Solution in which NSX-T Data Center is deployed.
+- A Windows Server Active Directory domain controller that has a valid certificate. The certificate can be issued by a [Windows Server Active Directory Certificate Services Certificate Authority (CA)](https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx) or by a [third-party CA](/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority).
 
+   We recommend that you use two domain controllers that are located in the same Azure region as the Azure VMware Solution software-defined datacenter.
 
->[!NOTE] 
-> For more information about LDAPS and certificate issuance, see with your security or identity management team.
+   > [!NOTE]
+   > Self-signed certificates are not recommended for production environments.
 
-</br>
+- An account that has Administrator permissions.
+- Azure VMware Solution DNS zones and DNS servers that are correctly configured. For more information, see [Configure NSX-T Data Center DNS for resolution to your Windows Server Active Directory domain and set up DNS forwarder](configure-dns-azure-vmware-solution.md).
 
-## Configure NSX-T to use Active Directory as LDAPS identity source 
+> [!NOTE]
+> For more information about Secure LDAP (LDAPS) and certificate issuance, contact your security team or your identity management team.
 
-1. Sign-in to NSX-T Manager and navigate to System, User Management, LDAP and click on “ADD IDENTITY SOURCE”
-   
-![Screenshot of the NSX-T console.](./media/nsxt/configure-nsx-t-pic-1.png)
+## Use Windows Server Active Directory as an LDAPS identity source
 
+1. Sign in to NSX Manager, and then go to **System** > **User Management** > **LDAP** > **Add Identity Source**.
 
-2. Enter the Name, Domain Name (FQDN), the Type and base DN.  Optionally add a description.
-The base DN is the container where your user accounts are kept, it is the starting point that an LDAP server uses when searching for users for an authentication request.  For example CN=users,dc=azfta,dc=com.
->[!NOTE] 
-> You can use more than one directory as an LDAP provider, i.e. with multiple AD domains when using AVS as a way to consolidate workloads.
-</br>
+   :::image type="content" source="media/nsxt/configure-nsx-t-pic-1.png" alt-text="Screenshot that shows NSX Manager with the options highlighted.":::
 
-![Screenshot of the NSX-T User Management console identity source add screen.](./media/nsxt/configure-nsx-t-pic-2.png)
+1. Enter values for **Name**, **Domain Name (FQDN)**, **Type**, and **Base DN**.  You can add a description (optional).
 
+   The base DN is the container where your user accounts are kept. The base DN is the starting point that an LDAP server uses when it searches for users in an authentication request. For example, **CN=users,dc=azfta,dc=com**.
 
-3. Next,  click Set (!) as shown on the screenshot above, then click on "ADD LDAP SERVER" and fill in the following fields
+   > [!NOTE]
+   > You can use more than one directory as an LDAP provider. An example is if you have multiple Windows Server Azure Directory domains, and you use Azure VMware Solution as a way to consolidate workloads.
 
-   
-| Field                | Explanation|
-|----------------------|------------|
-| Hostname/IP          | This is the LDAP server’s FQDN or IP address. For example either azfta-dc01.azfta.com or 10.5.4.4|
-| LDAP Protocol        | Select LDAPS|
-| Port	Choose 636     | This is the default secure LDAP port.|
-| Enabled	             | Leave as ‘Yes’|
-| Use StartTLS	       | Only required if non-secured LDAP is being used.|
-| Bind Identity	       | Use your account with domain administrator permissions. For example  [email protected] |
-| Password	           | Enter the password for the LDAP server, this is the password for the example [email protected] account.|
-| Certificate          | Leave empty (see step 6)|
+   :::image type="content" source="media/nsxt/configure-nsx-t-pic-2.png" alt-text="Screenshot that shows the User Management Add Identity Source page in NSX Manager." lightbox="media/nsxt/configure-nsx-t-pic-2.png":::
 
+1. Next, under **LDAP Servers**, select **Set** as shown in the preceding screenshot.
 
+1. On **Set LDAP Server**, select **Add LDAP Server**, and then enter or select values for the following items:
 
-![Screenshot of the Set LDAP Server configuration screen.](./media/nsxt/configure-nsx-t-pic-3.png)
+    | Name                | Action |
+    |----------------------|------------|
+    | **Hostname/IP**          | Enter the LDAP server’s FQDN or IP address. For example, **azfta-dc01.azfta.com** or **10.5.4.4**. |
+    | **LDAP Protocol**        | Select **LDAPS**. |
+    | **Port**     | Leave the default secure LDAP port. |
+    | **Enabled**              | Leave as **Yes**. |
+    | **Use Start TLS**        | Required only if you use standard (unsecured) LDAP. |
+    | **Bind Identity**        | Use your account that has domain Administrator permissions. For example, `<[email protected]>`. |
+    | **Password**            | Enter the password for the LDAP server. This password is the one that you use with the example `<[email protected]>` account. |
+    | **Certificate**          | Leave empty (see step 6). |
 
+   :::image type="content" source="media/nsxt/configure-nsx-t-pic-3.png" alt-text="Screenshot that shows the Set LDAP Server page to add an LDAP server.":::
 
-4. The screen will update, click Click ADD, then APPLY
-   
-![Screenshot of the successful certificate retrieval details.](./media/nsxt/configure-nsx-t-pic-4.png)
+1. After the page updates and displays a connection status, select **Add**, and then select **Apply**.
 
-5. Back on the User Management screen, click "SAVE" to complete the changes.
-   
-6. To add a second domain controller, or another external identity provider, go back to step 1.
+   :::image type="content" source="media/nsxt/configure-nsx-t-pic-4.png" alt-text="Screenshot that shows details of a successful certificate retrieval.":::
 
->[!NOTE] 
-> Best practice is to have two domain controllers to act as LDAP servers.  You can also put the LDAP servers behind a load balancer.
+1. On **User Management**, select **Save** to complete the changes.
 
+1. To add a second domain controller or another external identity provider, return to step 1.
 
-## Assign other NSX-T Data Center roles to Active Directory identities 
+> [!NOTE]
+> A recommended practice is to have two domain controllers to act as LDAP servers. You can also put the LDAP servers behind a load balancer.
 
-After adding an external identity, you can assign NSX-T Data Center Roles to Active Directory security groups based on your organization's security controls. 
+## Assign roles to Windows Server Active Directory identities
 
-1. Sign in to NSX-T Manager and navigate to System > Users Management > User Role Assignment and click Add
+After you add an external identity, you can assign NSX-T Data Center roles to Windows Server Active Directory security groups based on your organization's security controls.
 
-![Screenshot of the NSX-T System, User Management screen.](./media/nsxt/configure-nsx-t-pic-5.png)
+1. In NSX Manager, go to **System** > **User Management** > **User Role Assignment** > **Add**.
 
-2. Select **Add** > **Role Assignment for LDAP**.  
+   :::image type="content" source="media/nsxt/configure-nsx-t-pic-5.png" alt-text="Screenshot that shows the User Management page in NSX Manager." lightbox="media/nsxt/configure-nsx-t-pic-5.png":::
 
-    a.	Select the external identity provider-this will be the Identity provider selected in Step 3 in the previous section.  “NSX-T External Identity Provider”
+1. Select **Add** > **Role Assignment for LDAP**.  
 
-    b.	Enter the first few characters of the user's name, sign in ID, or a group name to search the LDAP directory, then select a user or group from the list that appears.
+   1. Select the external identity provider that you selected in step 3 in the preceding section. For example, **NSX-T External Identity Provider**.
 
-    c.	Select a role, in this case we are assigning FTAdmin the role of CloudAdmin
+   1. Enter the first few characters of the user's name, the user's sign-in ID, or a group name to search the LDAP directory. Then select a user or group from the list of results.
 
-    d.	Select Save.
-    
-![Screenshot of the NSX-T, System, User Management, ADD user screen.](./media/nsxt/configure-nsx-t-pic-6.png)
+   1. Select a role. In this example, assign the FTAdmin user the CloudAdmin role.
 
+   1. Select **Save**.
 
+   :::image type="content" source="media/nsxt/configure-nsx-t-pic-6.png" alt-text="Screenshot that shows the Add User page in NSX Manager." lightbox="media/nsxt/configure-nsx-t-pic-6.png":::
 
-3. Verify the permission assignment is displayed under **User Role Assignment**.
-   
-![Screenshot of the NSX-T User Management confirming user has been added.](./media/nsxt/configure-nsx-t-pic-7.png)
+1. Under **User Role Assignment**, verify that the permissions assignment appears.
 
+   :::image type="content" source="media/nsxt/configure-nsx-t-pic-7.png" alt-text="Screenshot that shows the User Management page confirming that the user was added." lightbox="media/nsxt/configure-nsx-t-pic-7.png":::
 
-4. Users should now be able to sign in to NSX-T Manager using their Active Directory credentials. 
+Your users should now be able to sign in to NSX Manager by using their Windows Server Active Directory credentials.
 
-## Next steps
-Now that you configured the external source, you can also learn about:
+## Related content
 
-- [Configure external identity source for vCenter Server](configure-identity-source-vcenter.md)
 - [Azure VMware Solution identity concepts](concepts-identity.md)
-- [VMware product documentation](https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-DB5A44F1-6E1D-4E5C-8B50-D6161FFA5BD2.html)
+- [Set an external identity source for vCenter Server](configure-identity-source-vcenter.md)
+- [VMware product documentation](https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-DB5A44F1-6E1D-4E5C-8B50-D6161FFA5BD2.html)