Users can log in to vCenter Server only if they are in a domain that has been added as a vCenter Single Sign-On identity source. You add an identity source to your cloud SDDC to be able to give Active Directory users access to your SDDC. Adding the identity source of the on-premises vCenter Server is the first task in configuring Hybrid Linked Mode.
You can add either an OpenLDAP server or an Active Directory as LDAP server as an identity source. You can add more than one identity source by repeating this procedure.
If you are adding an identity source to use with Hybrid Linked Mode, ensure that you meet the prerequisites in Hybrid Linked Mode Prerequisites.
- Log in to the vSphere Client for your SDDC.
- Bring up the Add Identity Source dialog.
Hybrid Linked Mode
Under Hybrid Cloud, select Linked Domains.
Under Add Identity Source, click Add.
All other use cases
Under Single Sign On, click Configuration.
Click Identity Sources and click Add.
- Configure the identity source settings.
Identity Source Type
Select Active Directory as an LDAP Server for a Windows Active Directory Server or Open LDAP for an Open LDAP server.
Enter the name of the identity source.
Base DN for users
Enter the Base Distinguished Name for users.
Base DN for groups
Enter the Base Distinguished Name for groups.
FQDN of the domain. Do not enter an IP address here.
Enter an alias for the domain.
For Active Directory identity sources, the domain's NetBIOS name. Add the NetBIOS name of the Active Directory domain as an alias of the identity source if you are using SSPI authentications.
Enter the ID of a user in the domain who has a minimum of read-only access to Base DN for users and groups. Use UPN format (for example, email@example.com), rather than DN format.
Enter the password of the user who is specified by Username.
Select which domain controller to connect to.
Select Any domain controller in the domain to connect to any domain controller.
Select Specific domain controllers to specify the domain controllers.
If you select Specific domain controllers, specify the URL for the primary server and the secondary server used for failover. Use the format ldap://hostname:port or ldaps://hostname:port. The port is typically 389 for ldap: connections and 636 for ldaps: connections. For Active Directory multi-domain controller deployments, the port is typically 3268 for ldap: connections and 3269 for ldaps: connections.
If you use ldaps:, select Browse and select a certificate file to upload to provide security for the ldaps: connection.
When the identity source is added, on-premises users can authenticate to the SDDC, but have the No access role. Add permissions for a group of users to give them the Cloud Administrator role.
What to do next
Add permissions for the group of Cloud Admininstrator users you created before adding the identity source: #GUID-FB5D02BC-2D25-4F62-BC8A-1F9B7D511AF2.