Building Hybrid Cloud on Nutanix CE – Part V


In this fifth part of the Hybrid Cloud blog post series we’re going to change the self sign Nutanix Cluster certificate, enable Active Directory Logon. We’re also going to setup Windows Admin Center and Admin Portal.

Security should be on anybody’s minds these days and friends don’t let friends use Self Signed Certificates! While wildcard certificates is not the perfect solution, I find them very easy to setup, use and implement. After all they’re a lot more secure than the Out of the Box Self Signed Certificates.

Close Up of Keys

If you used my Automation Framework Community Edition for your Domain Controller setup you automatically got PKI installed, wildcard certificate created and exported to the various file formats. In case you didn’t you can download the scripts from my Github repo (remember to edit the ssl.ini file).

Before we continue I’m going to configure my Nutanix Cluster to use my wildcard certificate and enable Active Directory integration for logon.

Head over to your Nutanix Cluster and click the Gear – SSL Settings – Replace Certificate.

Select Import Key and Certificate.

Browse to the private key and certificate. The internal domain CA certificate chain has to be exported manually though, through MMC – Certificates – Trusted Root Certificate Authority Store.

After you’ve imported the files you have successfully enabled SSL for your Nutanix Cluster.

To test that LDAPS works in your domain start ldp.exe from your Domain Controller. Set the port to 636 and select SSL.

Click OK. The following shows a successful test.

Next up is Active Directory integration. Select Gear – Authentication and fill in your LDAP information. Remember to use LDAPS and use a dedicated Service Account with a strong password set to never expires.

When you click Save you’ll need to Create Role Mapping.

Finally test login with Active Directory.

I also did the same for my VMware Cluster using the instruction in this post How to replace default vCenter VMCA certificate with Microsoft CA signed certificate.

For Windows Admin Center I’m using a Windows 2019 Server Core with 1 vCPU and 1 GB of memory. The first step is to install the wildcard domain certificate.

Then download Windows Admin Center and run the setup. We’re going to use port 443 and our wildcard certificate. You’ll find the thumbprint in the wildcard.txt file.

To enable Single Sign On you need to add the Server to the Local Intranet. You should use Group Policy for this. Go to User Configuration – Policies – Administrative Templates – Windows Components – Internet Explorer – Internet Control Panel – Security Page – Site to Zone Assignment List.

Click Add to add your resources.

When Searching Active Directory you can use a wildcard.

To enable Single Sign On we need to enable Kerberos Constrained Delegation. Run the following Powershell code on the WAC server to automate this. Make sure to edit Line 3 to reflect your Domain.

During the import of the wildcard certificate we also setup a basic IIS server. With port 80 available on the WAC server, this is the perfect place for the Admin Portal, because its just favourites. The code can be downloaded here.

This image has an empty alt attribute; its file name is image-65-1024x555.png

Place the code in C:\inetpub\wwwroot and run the following command.

Make sure to delete Default.htm and iisstart.htm that way you get index.html loaded by default. And that’s it. In the next Part 6 we’re going to setup a Backup solution.


Leave a reply