vCenter Single Sign-On log in behavior depends on the domain the user belongs to and the identity sources that you have added to vCenter Single Sign-On.
When a user logs in to a vCenter Server system from the vSphere Web Client, the login behavior depends on whether the user is in the default domain, that is, the domain that is set as the default identity source.
Users who are in the default domain can log in with their user name and password.
Users who are in a domain that has been added to vCenter Single Sign-On as an identity source but is not the default domain can log in to vCenter Server but must specify the domain in one of the following ways.
Including a domain name prefix, for example, MYDOMAIN\user1
Including the domain, for example, email@example.com
Users who are in a domain that is not a vCenter Single Sign-On identity source cannot log in to vCenter Server. If the domain that you add to vCenter Single Sign-On is part of a domain hierarchy, Active Directory determines whether users of other domains in the hierarchy are authenticated or not.
vCenter Single Sign-On does not propagate permissions to authenticate that result from nested groups from dissimilar identity sources. For example, if you add the Domain Administrators group to the Local Administrators group, the permissions are not propagated because Local OS and Active Directory are separate identity sources.
After installation on a Windows system, the user administrator@your_domain_name has administrator privileges to both the vCenter Single Sign-On server and the vCenter Server system.
After you deploy the vCenter Server Appliance, the user administrator@your_domain_name has administrator privileges to both the vCenter Single Sign-On server and the vCenter Server system.