8th gen nuc needs a customised install with either the net-community vib or the usbnic fling slipstreamed in.

• Instructions for building a slipstreamed install USB stick: https://www.virten.net/2020/04/how-to-add-the-usb-nic-fling-to-esxi-7-0-base-image/
• usbnic fling (used by usb-c dock): https://flings.vmware.com/usb-network-native-driver-for-esxi
• net-community drivers (needed for nuc8 onboard nic): https://flings.vmware.com/community-networking-driver-for-esxi

Officially vCenter 7 adds support for OIDC for ADFS only, however with some tweaks, it can be made to work using KeyCloak instead.

• Ensure KeyCloak docker container is running with env vars

  JAVA_OPTS_APPEND = "-Dkeycloak.profile.feature.scripts=enabled -Dkeycloak.profile.feature.upload_scripts=enabled"

• Add a client with ID vmware
• Ensure enabled, standard flow and direct access grants are enabled
• For the Root URL, Admin URL, Web Origins, use https://vcenter.fqdn
• For Valid Redirect URIs use https://vcenter.fqdn/ui/login/oauth2/authcode or https://vcenter.fqdn/*
• For backchannel logout URL use https://vcenter.fqdn/ui/login and enable Backchannel logout session required
• Set Client Protocol to openid-connect and Access Type to confidential
• On the Credentials tab, make a note of the secret
• On the mappers tab:
  • Add a hardcoded claim for claim domain, with the value matching the vmware SSO domain that will be used (e.g. the bit after the @ sign of the username, in my case sihnon.net)
  • Add a script mapper named nameid with value:

    token.setSubject(user.getUsername());

    This sets the sub claim in the JWT to be the plain username, as opposed to the internal keycloak user UUID which is the default. Without this, vcenter can't match to a user from LDAP

• Under Realm Settings → Endpoints, right click OpenID Endpoint Configuration and copy the URL

Under vCenter → Administration → Single Sign On → Configuration

• Click Change identity provider and select ADFS
• Under Client Identifier, enter vmware, or the value picked for client ID in keycloak
• Under shared secret, enter the secret noted earlier
• Under OpenID address, paste the URL noted earlier
• Fill in the LDAP details when prompted. Be sure to upload the root CA certificate (needed even for LetsEncrypt certs)

If there are certificate errors, try also adding the LetsEncrypt root cert under vCenter → Administration → Certificates → Certificate Management. If this view does not render in chrome, try firefox, or logging in with Administrator@vsphere.local

https://marte-it.at/en/reset-esxi-evaluation-license/

• Start the SSH service on the ESXi host
• Start a SSH connection with a SSH client (e.g. PuTTY)
• Delete the current license:

  rm -r /etc/vmware/license.cfg

• Copy the new license:

  cp /etc/vmware/.#license.cfg /etc/vmware/license.cfg

• Restart the VPXA service:

  /etc/init.d/vpxa restart