VMware vSphere

Greetings,

    I have been trying to implement the Guest User Mappings. The VM has VM Tools installed (10338 (10.3.2)). Below is my understanding:

there is SSO user administrator@vsphere.local with password password.

I enable Guest user mapping given the Guest OS username and password and assigned a SSO i.e administrator@vsphere.local with username administrator in Guest User Mapping but somehow it's not working.

PFA: Screenshot.

But how can I use Guest User Mapping. In the end, I wind up giving Guest OS credentials in the Remote Console.

Also I need to use Guest User Mapping for vRealize Operations Manager with Service Discovery Management Pack.

Unless your guest is part of a domain called "vsphere.local" and has a principle called "administrator", those credentials won't work. That's why it's called ​guest​ mapping. They're credentials that work inside the guest.

Ok. So the SSO is basically the domain account. For example:

Guest SSO will have muneeb.ali@domain.local and the username will be administrator (as this should be the Guest OS). After this correct configuration, how can the Guest SSO login the Guest OS using Guest User Mapping?

It's a mapping of one credential (on the vSphere side) to another credential (inside the guest). So you can use administrator@vsphere.local to map that to DOMAIN\user inside the guest. This means that in order to have DOMAIN\user be the effective guest-based credential requires you login as administrator@vsphere.local. This is also covered in the official documentation if you use search.

EXCUSE ME!

I have the exact same question as this post's title... (monty python fans will understand this)

i've not g o o g l e d anything on this topic...

anyone want to throw a practical example of the use of this within vm???

Hi,

Please check this document, if it helps --> https://marketplace.vmware.com/resources/9e418d7555ee11e78024005056a107c6/doc/93a4ceae2938426db48cc83bb695f6c3/vRealize%…

Page 11

I'm sorry to dig up such an old thread. But I'm currently strugling to understand the big picture on how this is working, and how you have to implement such feature.

I tried to read as much on the internet, on vmware forums and dev documentation but I'm still missing when this feature is configured how you interract with it.

The provided link from  isn't working anymore, and searching the forum doesn't provide further help.

Thanks for the help provided

Here's latest link to documentation on vSphere Guest Mapping https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-vm-administration/GUID-A38D2EEE-86B3-4440-9617-74065DD7D074.html

As the document states along with others, this is simply a feature that allows organization to create a "mapping" between an OS level user with certain privileges to a vCenter-based SSO user (does NOT have to be administrator but could be any account that exists in vCenter SSO system) and once this mapping is setup, the VI Admin can use the mapped account to login to a guest to perform certain operations. For example, you may not want to provide the actual OS admin password but for things like updating VMware Tools, you would need OS administrative account and this simply reduces the need to grant your VI Admin team individual OS level access and by doing this mapping, it allows them to use shared accounts to perform operations within the guest and it is limited to privileges of that account you had provided. If you provide read-only, then when VI Admin logins with mapped account, they'll only have read-only ... so there's number of use cases this could enable based on your organization needs

Thanks for the fast reply

I got the big picture now, the last two things I'm not really sure are about :

-  From the documentation : "You must configure VMs to accept X.509 certificates. X.509 certificates allow the vSphere administrators in your data center to use SAML tokens issued by single sign-on service to access guest OSs.". Which is quite unclear in how you achieve this.

- When all the prerequisites are met, the VI Admin only has to provide his SSO logon on the guest (through SSH for linux) and he shall get granted access with the privileges configured ? Or is it only through vCenter API ?

Thanks again

1. As part of setting up the Guest User Mapping, the VM is explicitly accepting x509. Its not an additional step. You can also get more details for how this all works in vSphere API which powers Guest User Mapping feature

https://vdc-repo.vmware.com/vmwb-repository/dcr-public/fe08899f-1eec-4d8d-b3bc-a6664c168c2c/7fdf97a1-4c0d-4be0-9d43-2ceebbc174d9/doc/vim.vm.guest.AliasManager.html

2. Guest User Mapping feature is used as part of vSphere Guest Operations (E.g. performing operations within the VM via vSphere API). It is not about logging into vSphere UI, this is purely for Automation type of operations whether you're using vSphere API to invoke Guest operations https://williamlam.com/2011/07/automating-new-integrated-vixguest.html or doing so with Invoke-VMScript PowerCLI cmdlet which uses these same APIs

So unless you have use cases for (2), you should NOT be setting up Guest User Mapping

I'm having problems with the guest user mappings (GUM) feature on vcenter 7.0 U3. I want to enable GUM for VM Kali linux 2022.3:
- vcenter has detected the running status of open vmware tool
- VM Kali confirmed that firewall and SELinux were turned off

The problem that occurs when configuring GUM for VM Kali is that I cannot use the VM's administrator account information to log in to the guest OS account, even using the root account is still not possible. Error message " A general system error occurred: vix error codes = (1, 0).

For VMs using OS Windows and Ubuntu, the above error is not encountered.
Please give specific instructions to resolve this issue