Use the vSphere Web Client to log in to the management domain's vCenter Server Appliance and configure your Active Directory domain as an identity source used by the authentication service. When your Active Directory domain is configured as an identity source, you can grant permissions to those users and groups to log in to the SDDC Manager client and access the environment, as well as grant permissions to log in to the vSphere Web Client using their Active Directory credentials.

Before you begin

Verify that you are logged in to the SDDC Manager client as an administrator. You can launch the vSphere Web Client from the SDDC Manager client.

Verify that you have the information for joining the management domain's Platform Services Controller component to your Active Directory domain:

  • The Active Directory domain name, such as example.com.

  • A user name in User Principal Name (UPN) format, such as User1@example.com, of a user that has a minimum of read access in the Active Directory domain.

    If your Active Directory is Windows 2008 and you will be using the Administrator account here, ensure that the Administrator account properties has the domain selected for the user logon name on the Account tab in the account's properties.

  • Password of that user.

About this task

Procedure

  1. Open the view of the management domain's vCenter Server resources in the vSphere Web Client.
    1. In the SDDC Manager client, navigate from the Dashboard page to view the management domain details.

      You drill down into the management domain details from the Workload Domains area on the dashboard.

    2. On the General Info page of the management domain's Domain Details screen, locate the vCenter launch link used to open the view of the domain's vCenter Server resources in the vSphere Web Client.

      One way to navigate to the management domain's General Info page from the Workload Domains page is to click List View and click the active link that is the name of the management domain.

    3. Launch the vSphere Web Client by clicking the vCenter launch link.

      The vSphere Web Client appears in a new browser tab, authenticated and accessing the management domain's vCenter Server resources.

  2. In the vSphere Web Client, navigate to Administration > Deployment > System Configuration > Nodes.
  3. Select the node for the psc-1 node.
  4. On the Manage tab, navigate to Settings > Advanced > Active Directory.
  5. Click Join.
  6. Type your Active Directory details.

    Option

    Description

    Domain

    Active Directory domain name, for example, example.com. Do not provide an IP address in this field.

    Organizational unit

    Optional. The canonical name of the organizational unit, for example, mydomain.com/MyOrganizationalUnit/mycomputer.

    Important:

    Use this field only if you are familiar with LDAP.

    User name

    User name in User Principal Name (UPN) format, for example, jchin@mydomain.com. This user must have a minimum of read access.

    Important:

    Down-level login name format, for example, DOMAIN\UserName, is unsupported. Ensure the Active Directory account's properties has the @domain format specified for the login name.

    Password

    Password of the user.

  7. Click OK to join the psc-1 Platform Services Controller to the Active Directory domain.

    The operation silently succeeds and you can see that the Join button turned to Leave.

  8. Right-click the node you edited and select Reboot to restart the psc-1 Platform Services Controller so that the changes are applied.
    Important:

    If you do not restart the appliance, you might encounter problems in the vSphere Web Client.

  9. Select the node for the psc-2 node.
  10. Repeat the steps to join the psc-2 node to the Active Directory domain.
  11. Navigate to Administration > Single Sign-On > Configuration.
  12. On the Identity Sources tab, click the Add Identity Source icon.
  13. Select Active Directory (Integrated Windows Authentication), enter the identity source settings of the joined Active Directory domain

    For example, type the joined Active Directory name in the Domain name field and select Use machine account.

  14. Click OK.

Results

On the Identity Sources tab, you can see the joined Active Directory domain.

What to do next

  • Use the SDDC Manager client to grant the appropriate permissions to the Active Directory domain's users and groups for accessing your environment using their Active Directory credentials. See Assign Permissions to Users and Groups.

  • Use the vSphere Web Client to grant the appropriate permissions to the users and groups from the joined Active Directory domain to use their Active Directory credentials to log in to the vSphere Web Client. Otherwise, those users and groups are not able to log in to the vSphere Web Client and the products that integrate with it using their Active Directory credentials. For information about managing permissions and user management in vCenter Server, see vSphere 6.0 Security Guide located at https://www.vmware.com/support/pubs/vsphere-esxi-vcenter-server-6-pubs.html.