vCenter Single Sign-On log in behavior depends on the domain the user belongs to and the identity sources that you have added to vCenter Single Sign-On.

When a user logs in to a vCenter Server system from the vSphere Web Client, the login behavior depends on whether the user is in the default domain.

  • Users who are in the default domain can log in with their user name and password.

  • Users who are in a domain that has been added to vCenter Single Sign-On as an identity source but is not the default domain can log in to vCenter Server but must specify the domain in one of the following ways.

    • Including a domain name prefix, for example, MYDOMAIN\user1

    • Including the domain, for example, user1@mydomain.com

  • Users who are in a domain that is not a vCenter Single Sign-On identity source cannot log in to vCenter Server. If the domain that you add to vCenter Single Sign-On is part of a domain hierarchy, Active Directory determines whether users of other domains in the hierarchy are authenticated or not.

After installation on a Windows system, the user administrator@vsphere.local has administrator privileges to both the vCenter Single Sign-On server and to the vCenter Server system.

After you deploy the vCenter Virtual Appliance, the user administrator@vsphere.local has administrator privileges to both the vCenter Single Sign-On server and to the vCenter Server system. The user root@localos has administrative privileges on the vCenter Single Sign-On server and can authenticate to the vCenter Server system. Assign permissions to root@localos to allow that user access to the vCenter Server system.