Can you add domain accounts to the exception user list for normal lockdown mode? I tried using DOMAIN\user as well as user@domain.com but neither work. Local accounts work just fine.
Hey,
Take a look at the next blog post which explains not only the steps needs to be done with the users but also in vCenter permissions,etc: vSphere 6.0 Lockdown Mode Exception Users - VMware vSphere Blog
I think there you will find your solution.
Yes, you can!
First you need to add host to active directory: Using Active Directory to Manage ESXi Users and Add a Host to a Directory Service Domain
Next you need to add AD users to exception users: Specify Lockdown Mode Exception Users
Hope it works for you!
I tried that, but I wasn't able to log into the VMHost (https://vmhost/ui). I tried using DOMAIN\username and username@domain.com, but neither worked. It only allowed UI logins with a local account created on the VMHost.
Hi, sorry to hear that.
Did you follow the steps described in this video? DOMAIN JOIN STEPS FOR ESXI 6.7 - YouTube
Yes, the VMHost is joined to the domain. With lockdown mode disabled, I can SSH into the VMHost using domain credentials. I can also log into the UI with lockdown mode disabled. I just can't get logins to work with Normal Lockdown Mode enabled, even with the domain account added to the Exception Users list. The user in question has full administrator permissions assigned through vCenter, propagated down to the VMHost.
Ok, that's a strange behaviour.
Can you take a look at /var/log/auth.log and /var/log/shell.log
There are no log entries for the failed login attempt through https://vmhost/ui, in both auth.log and shell.log.
I'll open up a ticket with VMware on this one.
Hey,
Take a look at the next blog post which explains not only the steps needs to be done with the users but also in vCenter permissions,etc: vSphere 6.0 Lockdown Mode Exception Users - VMware vSphere Blog
I think there you will find your solution.