Users can log in to vCenter Server only if they are in a domain that has been added as a vCenter Single Sign-On identity source. vCenter Single Sign-On administrator users can add identity sources from the vSphere Web Client.

An identity source can be a native Active Directory (Integrated Windows Authentication) domain or an OpenLDAP directory service. For backward compatibility, Active Directory as an LDAP Server is also available. See Identity Sources for vCenter Server with vCenter Single Sign-On

Immediately after installation, the following default identity sources and users are available:
All local operating system users. If you are upgrading, those users who can already authenticate continue to be able to authenticate. Using the localos identity source does not make sense in environments that use a Platform Services Controller.
Contains the vCenter Single Sign-On internal users.


The domain that you want to add as an identity source must be available to the machine where vCenter Single Sign-On is running. If you are using a vCenter Server Appliance, see the vCenter Server Appliance Configuration documentation.


  1. Log in to the vSphere Web Client as administrator@vsphere.local or as another user with vCenter Single Sign-On administrator privileges.
    Users with vCenter Single Sign-On administrator privileges are in the Administrators group in the vsphere.local domain.
  2. Browse to Administration > Single Sign-On > Configuration.
  3. On the Identity Sources tab, click the Add Identity Source icon.
  4. Select the type of identity source and enter the identity source settings.
    Option Description
    Active Directory (Integrated Windows Authentication) Use this option for native Active Directory implementations. The machine on which the vCenter Single Sign-Onservice is running must be in an Active Directory domain if you want to use this option.

    See Active Directory Identity Source Settings.

    Active Directory as an LDAP Server This option is available for backward compatibility. It requires that you specify the domain controller and other information. See Active Directory LDAP Server and OpenLDAP Server Identity Source Settings.
    OpenLDAP Use this option for an OpenLDAP identity source. See Active Directory LDAP Server and OpenLDAP Server Identity Source Settings.
    LocalOS Use this option to add the local operating system as an identity source. You are prompted only for the name of the local operating system. If you select this option, all users on the specified machine are visible to vCenter Single Sign-On, even if those users are not part of another domain.

    If the user account is locked or disabled, authentications and group and user searches in the Active Directory domain will fail. The user account must have read-only access over the User and Group OU, and must be able to read user and group attributes. This is the default Active Directory domain configuration for authentication permissions. VMware recommends using a special service user.

  5. If you configured an Active Directory as an LDAP Server or an OpenLDAP identity source, click Test Connection to ensure that you can connect to the identity source.
  6. Click OK.

What to do next

When an identity source is added, all users can be authenticated but have the No access role. A user with vCenter Server Modify.permissions privileges can assign give users or groups of users privileges that enable them to log in to vCenter Server and view and manage objects. See the vSphere Security documentation.