When a user logs in to a vSphere component, vCenter Single Sign-On is used for authentication. Users must be authenticated with vCenter Single Sign-On and must have been granted vCenter Server permissions to view and manage vSphere objects.

When users log in to the vSphere Web Client, they are first authenticated by vCenter Single Sign-On. For authenticated users, vCenter Server checks the permissions. What a user can see, and what a user can do, is determined by vSphere permission settings for vCenter Server and ESXi and by the applications in the environment. vCenter Server administrators assign those permissions from the Manage > Permissions interface in the vSphere Web Client, not through vCenter Single Sign-On. See vSphere Users and Permissions and vCenter User Management Tasks.

vCenter Single Sign-On and vCenter Server Users

Using the vSphere Web Client, users authenticate to vCenter Single Sign-On by entering their credentials on the vSphere Web Client login page. After connecting to vCenter Server, authenticated users can view all of the vCenter Server instances or other vSphere services for which they have permissions. No further authentication is required. The actions that authenticated users can perform on objects depend on the user's vCenter Server permissions on those objects. See vSphere Users and Permissions and vCenter User Management Tasks.

After installation, the administrator@vsphere.local user has administrator access to both vCenter Single Sign-On and vCenter Server. That user can then add identity sources, set the default identity source, and manage users and groups in the vCenter Single Sign-On domain (vsphere.local).

While most vCenter Single Sign-On management tasks require vCenter Single Sign-On administrator credentials, all users that can authenticate to vCenter Single Sign-On can reset their password, even if the password has expired. See Reset an Expired vCenter Single Sign-On Password.

vCenter Single Sign-On Administrator Users

The vCenter Single Sign-On administrative interface is accessible from the vSphere Web Client.

To configure vCenter Single Sign-On and manage vCenter Single Sign-On users and groups, the user administrator@vsphere.local or a user with vCenter Single Sign-On administrator privileges must log in to the vSphere Web Client. Upon authentication, that user can access the vCenter Single Sign-On administration interface to manage identity sources and default domains, specify password policies, and perform other administrative tasks. See Configuring vCenter Single Sign-On.


You cannot rename the administrator@vsphere.local user. For improved security, consider creating additional users in the vsphere.local domain and assigning them administrative privileges. You can then stop using administrator@vsphere.local.

Authentication in Different Versions of vSphere

If a user connects to a vCenter Server system version 5.0.x or earlier, vCenter Server authenticates the user by validating the user against an Active Directory domain or against the list of local operating system users. In vCenter Server 5.1 and later, users authenticate through vCenter Single Sign-On.


You cannot use the vSphere Web Client to manage vCenter Server version 5.0 or earlier. Upgrade vCenter Server to version 5.1 or later.

ESXi Users

ESXi 5.1 is not integrated with vCenter Single Sign-On. You add the ESXi host to an Active Directory domain explicitly. See Add an ESXi Host to an Active Directory Domain.

You can still create local ESXi users with the vSphere Client, vCLI, or PowerCLI. vCenter Server is not aware of users that are local to ESXi and ESXi is not aware of vCenter Server users.

Login Behavior

When a user logs in to a vCenter Server system from the vSphere Web Client, the login behavior depends on whether the user is in the default domain.

  • Users who are in the default domain can log in with their user name and password.

  • Users who are in a domain that has been added to vCenter Single Sign-On as an identity source but is not the default domain can log in to vCenter Server but must specify the domain in one of the following ways.

    • Including a domain name prefix, for example, MYDOMAIN\user1

    • Including the domain, for example, user1@mydomain.com

  • Users who are in a domain that is not a vCenter Single Sign-On identity source cannot log in to vCenter Server. If the domain that you add to vCenter Single Sign-On is part of a domain hierarchy, Active Directory determines whether users of other domains in the hierarchy are authenticated or not.