Users can log in to vCenter Server only if they are in a domain that has been added as a vCenter Single Sign-On identity source. You add an identity source to your cloud SDDC to be able to give Active Directory users access to your SDDC.

You can add either an OpenLDAP server or an Active Directory as LDAP server as an identity source. You can add more than one identity source by repeating this procedure.


If you are adding an identity source to use with Hybrid Linked Mode, ensure that you meet the prerequisites in Hybrid Linked Mode Prerequisites.


  1. Log in to the vSphere Client for your SDDC.
  2. Bring up the Add Identity Source dialog.

    Use case


    Hybrid Linked Mode

    1. Select Menu > Administration.

    2. Under Hybrid Cloud, select Linked Domains.

    3. Under Add Cloud Administrator, select Add Indentity Source from the Identity Source drop-down menu.

    All other use cases

    1. Select Menu > Administration.

    2. Under Single Sign On, click Configuration.

    3. Click Identity Sources and click Add.

  3. Configure the identity source settings.



    Identity Source Type

    Select Active Directory as an LDAP Server for a Windows Active Directory Server or Open LDAP for an Open LDAP server.


    Enter the name of the identity source.

    Base DN for users

    Enter the Base Distinguished Name for users.

    Base DN for groups

    Enter the Base Distinguished Name for groups.

    Domain Name

    FQDN of the domain. Do not enter an IP address here.

    Domain Alias

    Enter an alias for the domain.

    For Active Directory identity sources, the domain's NetBIOS name. Add the NetBIOS name of the Active Directory domain as an alias of the identity source if you are using SSPI authentications.


    Enter the ID of a user in the domain who has a minimum of read-only access to Base DN for users and groups. Use UPN format (for example,, rather than DN format.


    Enter the password of the user who is specified by Username.

    Connect To

    Select which domain controller to connect to.

    • Select Any domain controller in the domain to connect to any domain controller.

    • Select Specific domain controllers to specify the domain controllers.

    If you select Specific domain controllers, specify the URL for the primary server and the secondary server used for failover. Use the format ldap://hostname:port or ldaps://hostname:port. The port is typically 389 for ldap: connections and 636 for ldaps: connections. For Active Directory multi-domain controller deployments, the port is typically 3268 for ldap: connections and 3269 for ldaps: connections.

    SSL Certificates

    If you use ldaps:, select Browse and select a certificate file to upload to provide security for the ldaps: connection.


When the identity source is added, on-premises users can authenticate to the SDDC, but have the No access role. Add permissions for a group of users to give them the Cloud Administrator role.