Everyday Virtualization

Blog archive

ESXi Hosts, AD Integrated Security Gotcha

One of the most lauded features of vSphere 4.1 is the built-in Active Directory authentication engine for ESXi hosts. It's very easy to configure, and it works for both free ESXi installations as well as hosts managed by vCenter. The Active Directory-integrated security is configured in the Authentication Services section of each host (see Fig. 1).

As easy as it is to configure, I recommend you read Maish's post on the Technodrone on how to do such.

So, while configuration is easy enough, I have confirmed with Microsoft that it's not that easy to manage from a licensing perspective. As it turns out, enabling Active Directory-integrated security to the ESXi host creates a computer account for each host. It's actually similar to what XenServer did in the 5.5 release, when Citrix added Active Directory authentication.

Using Active Directory-integrated security in this configuration can impact your licensing responsibility if device client access licenses (CALs) are used. I reached out to Microsoft to clarify how this applies. The good news is that there is no server licensing impact for the integrated authentication feature. A Microsoft spokesperson provided this language to clarify server licensing:

All Windows Server licenses are assigned to either the server itself or a processor within the server. The licensing or physical deployment of any other product like another company's hypervisor or management tools, in no way impacts the licensing of our server products

For CALs, it is a different story. Basically, if User CALs are the licensing mechanism, there is no licensing cost for an ESXi host with Active Directory authentication. There are if you're using Device CALs. This language was provided to clarify how CALs apply to this configuration:

The answer is "no" if a customer is using "User CALs" since then they can access any server from any device. If the customer is using "Device CALs" then each device used to access the server would need to be licensed with a CAL. So "yes".

The Yes and No references are the answers these questions I had presented to Microsoft.

Configuring Authentication Services on an ESXi host.

Figure 1. Configuring Authentication Services on an ESXi host. (Click image to view larger version.)

With any licensing topic, I recommend that you consult your Microsoft licensing professional with your configuration. You can find a good overview comparing device vs. user CALs on Microsoft's site here. All in all, I don't think the licensing issue is a big deal and most organizations can address this via a regular true up of their Enterprise Agreements with Microsoft.

Does this licensing note impact your infrastructure administration practice? If so, share your comments here.

Posted by Rick Vanover on 07/22/2010 at 12:47 PM


Subscribe on YouTube