Users can log in to vCenter Server only if they are in a domain that has been added as a vCenter Single Sign-On identity source. You add an identity source to your cloud SDDC to be able to give Active Directory users access to your SDDC. Adding the identity source of the on-premises vCenter Server is the first task in configuring Hybrid Linked Mode.

You can add either an OpenLDAP server or an Active Directory as LDAP server as an identity source. You can add more than one identity source by repeating this procedure.

Prerequisites

If you are adding an identity source to use with Hybrid Linked Mode, ensure that you meet the prerequisites in Hybrid Linked Mode Prerequisites.

Procedure

  1. Log in to the vSphere Client for your SDDC.
  2. Bring up the Add Identity Source dialog.

    Use case

    Description

    Hybrid Linked Mode

    1. Select Menu > Administration.

    2. Under Hybrid Cloud, select Linked Domains.

    3. Under Add Identity Source, click Add.

    All other use cases

    1. Select Menu > Administration.

    2. Under Single Sign On, click Configuration.

    3. Click Identity Sources and click Add.

  3. Configure the identity source settings.

    Option

    Description

    Identity Source Type

    Select Active Directory as an LDAP Server for a Windows Active Directory Server or Open LDAP for an Open LDAP server.

    Name

    Enter the name of the identity source.

    Base DN for users

    Enter the Base Distinguished Name for users.

    Base DN for groups

    Enter the Base Distinguished Name for groups.

    Domain Name

    FQDN of the domain. Do not enter an IP address here.

    Domain Alias

    Enter an alias for the domain.

    For Active Directory identity sources, the domain's NetBIOS name. Add the NetBIOS name of the Active Directory domain as an alias of the identity source if you are using SSPI authentications.

    Username

    Enter the ID of a user in the domain who has a minimum of read-only access to Base DN for users and groups. Use UPN format (for example, user@example.com), rather than DN format.

    Password

    Enter the password of the user who is specified by Username.

    Connect To

    Select which domain controller to connect to.

    • Select Any domain controller in the domain to connect to any domain controller.

    • Select Specific domain controllers to specify the domain controllers.

    If you select Specific domain controllers, specify the URL for the primary server and the secondary server used for failover. Use the format ldap://hostname:port or ldaps://hostname:port. The port is typically 389 for ldap: connections and 636 for ldaps: connections. For Active Directory multi-domain controller deployments, the port is typically 3268 for ldap: connections and 3269 for ldaps: connections.

    SSL Certificates

    If you use ldaps:, select Browse and select a certificate file to upload to provide security for the ldaps: connection.

Results

When the identity source is added, on-premises users can authenticate to the SDDC, but have the No access role. Add permissions for a group of users to give them the Cloud Administrator role.

What to do next

Add permissions for the group of Cloud Admininstrator users you created before adding the identity source: #GUID-FB5D02BC-2D25-4F62-BC8A-1F9B7D511AF2.