The service accounts, created by SDDC Manager, in the vCenter Single Sign-On built-in identity provider for each management and workload domain, must be members of the LicenseService.Administrators group. You add the NSX service accounts to the group to provide the minimum required privileges and scope.
UI Procedure
- Log in to vCenter Server at https://<vcenter_server_fqdn>/ui as [email protected].
- From the vSphere Client Menu, select Administration.
In the Single Sign On section, click Users and groups.
Click the Groups tab.
Select the LicenseService.Administrators group and click Edit.
In the Edit group dialog box, add the service accounts for NSX Manager.
From the Add members drop-down menu, select vsphere.local.
To search for the service accounts created by SDDC Manager, in the Search text box, enter svc-.
The format of the service account name is svc-<nsx-manager-name>-<vcenter-server-name>.
Add the service accounts for NSX Manager for each management and VI workload domain to the LicenseService.Administrators group and click Save.
Repeat the procedure for each VI workload domain you add to the SDDC.
PowerShell Procedure
Start PowerShell.
Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $domainFqdn = "vsphere.local" $serviceAccount = "svc-sfo-m01-nsx01-sfo-m01-vc01"
Perform the configuration by running the command in the PowerShell console.
Add-SsoPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -sddcDomain $sddcDomainName -domain $domainFqdn -principal $serviceAccount -ssoGroup "LicenseService.Administrators" -type user -source localRepeat the procedure for each VI workload domain you add to the SDDC.
