In vCSA 6.0 the way we connect the AD is changed when compare to the older version. To join the AD in 6.0 VMware included the Infrastructure node configuration which is part of the Platform Service controller.
When we have more that one PSC in the Load Balacer configuration then we have to configure the AD in all the PSC so that if active PSC is down still we can login to the other PSC.
Before configuring the AD make sure the Time Synchronization and naming is correct between the PSC and AD.
Login to the Web-Client with SSO Username and Password.
Navigate to Administration – Deployment – System Configuration.
Select the Platform Service Controller and go to Manage –
Once the authentication is provided then make sure to reboot the PSC and when booted we can see the AD configuration.
Make the same changes to the other PSC node also and in case if we are having issue on adding AD to the PSC and getting the below error then we need to activate the agent directly by login in to the PSC.
Login to the PSC SSH : /opt/likewise/bin/domainjoin-cli join domain username
Provide the AD password to join the domain.
Once it shows SUCCESS then reboot the PSC node.
Note it wont show the domain in GUI AD option like other PSC but still it is authenticated with the AD domain.
Another way to add the Domain is to by login to the Https://FQDNPSC/PSC
Provide the firstname.lastname@example.org \ password
Go to the Appliance Settings.
Add Active Directory.
After the AD configuration is completed in PSC , Go to the Single Sign-On – Configuration – Identity Sources.
Click on Add symbol +
Before adding the AD Domain in PSC it will show the below message .
Select the first option Active Directory ( Integrated Windows Authentication ) and in the Domain Name we can see the AD Domain which we added in the PSC.
Next we have to add the appropriate AD Groups and the Users to the roles we want to access the VC.
Go to Global Permissions.
Select the AD Domain.
Search the User or Group
Also if you want to login directly with your domain user without adding the domainname in the username credentials , make the domain as default so it will allow directly AD user without domain name.
Once user is added then try to login in to the webclient using the AD user.