Merge pull request #261483 from Court72/public-move-116950

Public move 116950

Author: denrea

articles/azure-vmware/configure-external-identity-source-nsx-t.md

@@ -3,86 +3,118 @@ title: Configure external identity source for NSX-T Data Center
 description: Learn how to use the Azure VMware Solution to configure an external identity source for NSX-T Data Center.
 ms.topic: how-to
 ms.service: azure-vmware
-ms.date: 12/05/2023
+ms.date: 11/06/2023
 ms.custom: engagement-fy23
 
+
 ---
-# Configure external identity source for NSX-T Data Center
+# Configure an external identity source for NSX-T Data Center
+
+In this article, you will learn how to configure an external identity source for the NSX-T Data Center in an Azure VMware Solution. The NSX-T Data Center can be configured to use an external LDAP directory service to authenticate users, enabling a user to log in using their Active Directory account credentials, or those from a 3rd party LDAP server. The account can then be assigned an NSX-T Data Center Role, like you have with on-premises environments, to provide RBAC for each NSX-T user.
+
+![Screenshot showing NSX-T connectivity to the LDAP (Active Directory) server.](./media/nsxt/azure-vmware-solution-to-ldap-server.jpg)
 
-In this article, learn how to configure an external identity source for NSX-T Data Center in an Azure VMware Solution. The NSX-T Data Center can be configured with external LDAP directory service to add remote directory users or groups. The users can be assigned an NSX-T Data Center Role-based access control (RBAC) role like you have on-premises. 
 
 ## Prerequisites 
 
-- A working connectivity from your Active Directory network to your Azure VMware Solution private cloud. 
-- If you require Active Directory authentication with LDAPS:
-    - You need access to the Active Directory Domain Controller(s) with Administrator permissions. 
+-	A working connection from your Active Directory network to your Azure VMware Solution private cloud. </br>
+-	A network path from your Active Directory server to the management network of Azure VMware solution where NSX-T is deployed. </br>
+-	Best practice: Two domain controllers located in Azure in the same region as the Azure VMware Solution SDDC. </br>
+-	Active Directory Domain Controller(s) with a valid certificate. The certificate could be issued by an [Active Directory Certificate Services Certificate Authority (CA)](https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx) or a [third-party CA](/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority).
+
+
+>[!Note] 
+> Self-sign certificates are not recommended for production environments.
 
-    - Your Active Directory Domain Controller(s) must have LDAPS enabled with a valid certificate. The certificate is issued from [Active Directory Certificate Services Certificate Authority (CA)](https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx) or a [third-party CA](/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority).
-    >[!Note] 
-    > Self-sign certificates are not recommended for production environments.   
 
-- Ensure your Azure VMware Solution has DNS resolution configured to your on-premises AD. Enable DNS Forwarder from Azure portal. For more information, see [Configure NSX-T Data Center DNS for resolution to your Active Directory Domain and Configure DNS forwarder for Azure VMware Solution](configure-dns-azure-vmware-solution.md) .    
+-	An account with Administrator permissions</br>
+-	The Azure VMware Solution DNS zones and the DNS servers have been correctly deployed. See: [Configure NSX-T Data Center DNS for resolution to your Active Directory Domain and Configure DNS forwarder for Azure VMware Solution](configure-dns-azure-vmware-solution.md)</br>
+
+
 >[!NOTE] 
 > For more information about LDAPS and certificate issuance, see with your security or identity management team.
 
-## Add Active Directory as LDAPS identity source 
+</br>
+
+## Configure NSX-T to use Active Directory as LDAPS identity source 
+
+1. Sign-in to NSX-T Manager and navigate to System, User Management, LDAP and click on “ADD IDENTITY SOURCE”
+   
+![Screenshot of the NSX-T console.](./media/nsxt/configure-nsx-t-pic-1.png)
+
+
+2. Enter the Name, Domain Name (FQDN), the Type and base DN.  Optionally add a description.
+The base DN is the container where your user accounts are kept, it is the starting point that an LDAP server uses when searching for users for an authentication request.  For example CN=users,dc=azfta,dc=com.
+>[!NOTE] 
+> You can use more than one directory as an LDAP provider, i.e. with multiple AD domains when using AVS as a way to consolidate workloads.
+</br>
+
+![Screenshot of the NSX-T User Management console identity source add screen.](./media/nsxt/configure-nsx-t-pic-2.png)
+
 
-1. Sign-in to NSX-T Manager and Navigate to System > Users and Roles > LDAP. 
+3. Next,  click Set (!) as shown on the screenshot above, then click on "ADD LDAP SERVER" and fill in the following fields
 
-1. Select on the Add Identity Source. 
+   
+| Field                | Explanation|
+|----------------------|------------|
+| Hostname/IP          | This is the LDAP server’s FQDN or IP address. For example either azfta-dc01.azfta.com or 10.5.4.4|
+| LDAP Protocol        | Select LDAPS|
+| Port	Choose 636     | This is the default secure LDAP port.|
+| Enabled	             | Leave as ‘Yes’|
+| Use StartTLS	       | Only required if non-secured LDAP is being used.|
+| Bind Identity	       | Use your account with domain administrator permissions. For example  [email protected] |
+| Password	           | Enter the password for the LDAP server, this is the password for the example [email protected] account.|
+| Certificate          | Leave empty (see step 6)|
 
-1. Enter a name for the identity source. For example, avslab.local. 
 
-1. Enter a domain name. The name must correspond to the domain name of your Active Directory server, if using Active Directory. For example, `avslab.local`. 
 
-1. Select the type as Active Directory over LDAP, if using Active Directory. 
+![Screenshot of the Set LDAP Server configuration screen.](./media/nsxt/configure-nsx-t-pic-3.png)
 
-1. Enter the Base DN. Base DN is the starting point that an LDAP server uses when searching for user authentication within an Active Directory domain. For example: DC=avslab,DC=local. 
-   >[!NOTE]
-   > All of the user and group entries you intend to use to control access to NSX-T Data Center must be contained within the LDAP directory tree rooted at the specified Base DN. If the Base DN is set to something too specific, such as an Organizational Unit deeper in your LDAP tree, NSX may not be able to find the entries it needs to locate users and determine group membership. Selecting a broad Base DN is a best practice if you are unsure. 
 
-1. After filling in the required fields, you can select Set to configure LDAP servers. One LDAP server is supported for each domain.  
+4. The screen will update, click Click ADD, then APPLY
+   
+![Screenshot of the successful certificate retrieval details.](./media/nsxt/configure-nsx-t-pic-4.png)
+
+5. Back on the User Management screen, click "SAVE" to complete the changes.
+   
+6. To add a second domain controller, or another external identity provider, go back to step 1.
+
+>[!NOTE] 
+> Best practice is to have two domain controllers to act as LDAP servers.  You can also put the LDAP servers behind a load balancer.
 
-   | **Field** | **Value** |
-   | ----- | ----- |
-   |Hostname/IP | The hostname or IP address of your LDAP server.  For example, `dc.avslab.local.`| 
-   | LDAP Protocol | Select **LDAPS** (LDAP is unsecured). |
-   | Port | The default port is populated based on the selected protocol 636 for LDAPS and 389 for LDAP. If your LDAP server is running on a nonstandard port, you can edit this text box to give the port number. |
-   | Connection Status | After filling in the mandatory text boxes, including the LDAP server information, select **Connection Status** to test the connection. |
-   | Use StartTLS | If selected, the LDAPv3 StartTLS extension is used to upgrade the connection to use encryption. To determine if you should use this option, consult your LDAP server administrator. This option can only be used if LDAP protocol is selected. |
-   | Certificate  | If you're using LDAPS or LDAP + StartTLS, this text box should contain the PEM-encoded X.509 certificate of the server. If you leave this text box blank and select the **Check Status** link, NSX connects to the LDAP server. NSX retrieves the LDAP server's certificate, and prompts you if you want to trust that certificate. If you verified that the certificate is correct, select **OK**, and the certificate text box is populated with the retrieved certificate. |
-   |Bind Identity | The format is `user@domainName`, or you can specify the distinguished name. For Active Directory, you can use either the userPrincipalName (user@domainName) or the distinguished name. For OpenLDAP, you must supply a distinguished name. This text box is required unless your LDAP server supports anonymous bind, then it's optional. Consult your LDAP server administrator if you aren't sure.|
-   |Password |Enter a password for the LDAP server. This text box is required unless your LDAP server supports anonymous bind, then it's optional. Consult your LDAP server administrator.|
-1. Select **Add**. 
-       :::image type="content" source="./media/nsxt/set-ldap-server.png" alt-text="Screenshot showing how to set an LDAP server." border="true" lightbox="./media/nsxt/set-ldap-server.png":::
- 
-      
-1. Select **Save** to complete the changes.
-       :::image type="content" source="./media/nsxt/user-roles-ldap-server.png" alt-text="Screenshot showing user roles on an LDAP server." border="true" lightbox="./media/nsxt/user-roles-ldap-server.png":::
 
 ## Assign other NSX-T Data Center roles to Active Directory identities 
 
 After adding an external identity, you can assign NSX-T Data Center Roles to Active Directory security groups based on your organization's security controls. 
 
-1. Sign in to NSX-T Manager and navigate to **System** > **Users and Roles**.
-       
-1. Select **Add** > **Role Assignment for LDAP**.  
+1. Sign in to NSX-T Manager and navigate to System > Users Management > User Role Assignment and click Add
+
+![Screenshot of the NSX-T System, User Management screen.](./media/nsxt/configure-nsx-t-pic-5.png)
 
-     1. Select a domain. 
-     1. Enter the first few characters of the user's name, sign in ID, or a group name to search the LDAP directory, then select a user or group from the list that appears.
-     1. Select a role. 
-     1. Select **Save**.
-    :::image type="content" source="./media/nsxt/user-roles-ldap-review.png" alt-text="Screenshot showing how to review different roles on the LDAP server." border="true" lightbox="./media/nsxt/user-roles-ldap-review.png":::
+2. Select **Add** > **Role Assignment for LDAP**.  
 
-1. Verify the permission assignment is displayed under **Users and Roles**.
-:::image type="content" source="./media/nsxt/user-roles-ldap-verify.png" alt-text="Screenshot showing how to verify user roles on an LDAP server." border="true" lightbox="./media/nsxt/user-roles-ldap-verify.png":::
+    a.	Select the external identity provider-this will be the Identity provider selected in Step 3 in the previous section.  “NSX-T External Identity Provider”
 
-1. Users should now be able to sign in to NSX-T Manager using their Active Directory credentials. 
+    b.	Enter the first few characters of the user's name, sign in ID, or a group name to search the LDAP directory, then select a user or group from the list that appears.
+
+    c.	Select a role, in this case we are assigning FTAdmin the role of CloudAdmin
+
+    d.	Select Save.
+    
+![Screenshot of the NSX-T, System, User Management, ADD user screen.](./media/nsxt/configure-nsx-t-pic-6.png)
+
+
+
+3. Verify the permission assignment is displayed under **User Role Assignment**.
+   
+![Screenshot of the NSX-T User Management confirming user has been added.](./media/nsxt/configure-nsx-t-pic-7.png)
+
+
+4. Users should now be able to sign in to NSX-T Manager using their Active Directory credentials. 
 
 ## Next steps
 Now that you configured the external source, you can also learn about:
 
 - [Configure external identity source for vCenter Server](configure-identity-source-vcenter.md)
 - [Azure VMware Solution identity concepts](concepts-identity.md)
-- [VMware product documentation](https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-DB5A44F1-6E1D-4E5C-8B50-D6161FFA5BD2.html)
-
+- [VMware product documentation](https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-DB5A44F1-6E1D-4E5C-8B50-D6161FFA5BD2.html)