Users can log in to vCenter Server only if they are in a domain that has been added as a vCenter Single Sign-On identity source. vCenter Single Sign-On administrator users can add identity sources from the vSphere Web Client.

An identity source can be a native Active Directory (Integrated Windows Authentication) domain or an OpenLDAP directory service. For backward compatibility, Active Directory as an LDAP Server is also available.

Immediately after installation, the following default identity sources and users are available:
All local operating system users. These users can be granted permissions to vCenter Server. If you are upgrading, those users who already have permissions keep those permissions.
Contains the vCenter Single Sign-On internal users.


  1. Log in to the vSphere Web Client as administrator@vsphere.local or as another user with vCenter Single Sign-On administrator privileges.
  2. Browse to Administration > Single Sign-On > Configuration.
  3. On the Identity Sources tab, click the Add Identity Source icon.
  4. Select the type of identity source and enter the identity source settings.
    Option Description
    Active Directory (Integrated Windows Authentication) The identity source is a Microsoft Active Directory server. Active Directory versions 2003 and later are supported. Set up your Active Directory domain, including Kerberos, following the instructions on the Microsoft Web site.
    Active Directory as a LDAP Server This option is supported for backward compatibility with the vCenter Single Sign-On service included with vSphere 5.1. Use a native Active Directory identity source instead.
    OpenLDAP The identity source is an OpenLDAP server. OpenLDAP versions 2.4 and later are supported.
    Local Operating System Users local to the operating system where the vCenter Single Sign-On service is installed (for example, Windows). Only one local operating system identity source is supported.

    If the user account is locked or disabled, authentications and group and user searches in the Active Directory domain will fail. The user account must have read-only access over the User and Group OU, and must be able to read user and group attributes. This is the default Active Directory domain configuration for user permissions. VMware recommends using a special service user.

  5. If you configured an Active Directory as an LDAP Server or an OpenLDAP identity source, click Test Connection to ensure that you can connect to the identity source.
  6. Click OK.

What to do next

When an identity source is added, all users can be authenticated but have the No access permission. A user with vCenter Server Modify.permissions privileges can assign permissions to users or groups of users to enable them to log in to vCenter Server. See Assign Permissions in the vSphere Web Client.