Enterprise manager plugin account

[matteu]

Hello,

I try to understand exactly how the pluggin work for authentication but I'm probably wrong.

If I give portal administrator permission to a domain account and I use this domain account on vcenter, it's working.
If I create vcenter SSO domain account and I add it as external user on my VBEM webportal with portal administrator, it's not working when I click on TEST button on the vcenter.

What am I doing wrong ?

I try to do the same than this : https://www.youtube.com/watch?v=aumdkcJFwXE

[HannesK]

Hello,
external users are for SAML authentication. I assume that you don't want to use that "just for fun".

As far as I see in the video, everything works fine (as it should). I got lost where things are not working.

Best regards,
Hannes

[matteu]

Hello,

Thanks for your answer.
OK, so I have to forget external user .

How does he do to use administrator@vsphere.local as authentication account ? This account must have portal administrator right on VBEM if I understand it correctly.

Maybe I just have to create a domain user and add it on my VBEM server as portal administrator (maybe portal viewer is enough) + veeamOne with correct permission if I want to use the section for veeamOne to with the pluggin ?

[HannesK]

Hello,
if it is about the last step, then username / password is optional (step 2) (only if domain user is used for vSphere web client that is also portal user in Enterprise Manager)

On the Settings tab, check the plug-in version and specify the following Veeam Backup Enterprise Manager connection properties:
- Host name or IP address of the Veeam Backup Enterprise Manager server
- Base URL of Veeam Backup Enterprise Manager REST API
- Thumbprint of the certificate used to connect to Veeam Backup Enterprise Manager REST API

but yes, it would also work with a domain or local user that has Enterprise Manager permissions (agree, the documentation could be clearer here, I will check that out).

Best regards,
Hannes

[matteu]

I suppose it's better to used service account here for everyone to see this part but maybe I'm wrong...

I understand if current vcenter account has right on enterprise manager, he will see it, but if he doesn't and he should you can give him right on EM or just use this service account.
I saw this service account should have right on VeeamOne too if we want to see capacity planning. That means it's probably better to use domain account for both permission

[HannesK]

Now I see something... how did you manage to make the administrator@vsphere.local a portal user / portal administrator in Enterprise Manager?

I used a normal domain user that is portal user.

[matteu]

No problem for this account for me too

How do you do for vsphere sso local user admin like in the video ?

[HannesK]

sorry, not sure what the question means. Everything works fine, as far as I see.

there are two options in general
1) work with a user account that is known to vCenter and Enterprise Manager. That would be a Windows domain user. For example lab\username. In this setup, the password based authentication in settings is not needed
2) work with a user that is known to vCenter, but not to Enterprise Manager. In this case, the connection to Enterprise Manager is done with an auxiliary / helper user configured in the VBR plugin settings.

That's why I'm curious, how you managed to assign administrator@vsphere.local an Enterprise Manager manager role.

[matteu]

I talk about administrator@vsphere.local because it s the account shown in the video link I provide.

If it not possible, that mean I perfectly understand from start what I needed