Join the vCenter Server Appliance to an Active Directory Domain

You can join a Platform Services Controller appliance or a vCenter Server Appliance with an embedded Platform Services Controller to an Active Directory domain and attach the users and groups from this Active Directory domain to your vCenter Single Sign-On domain.

Important:

Joining a Platform Services Controller appliance or a vCenter Server Appliance with an embedded Platform Services Controller to an Active Directory domain with a read-only domain controller (RODC) is unsupported. You can join a Platform Services Controller or a vCenter Server Appliance with an embedded Platform Services Controller only to an Active Directory domain with a writable domain controller.

If you want to configure permissions for users and groups from an Active Directory domain to access the vCenter Server components, you must join its associated embedded or external Platform Services Controller instance to the Active Directory domain.

For example, to enable an Active Directory user to log in to the vCenter Server instance in a vCenter Server Appliance with an embedded Platform Services Controller by using the vSphere Web Client with Windows session authentication (SSPI), you must join the vCenter Server Appliance to the Active Directory domain and assign the Administrator role to this user. To enable an Active Directory user to log in to a vCenter Server instance that uses an external Platform Services Controller appliance by using the vSphere Web Client with SSPI, you must join the Platform Services Controller appliance to the Active Directory domain and assign the Administrator role to this user.

Note:

If you want to enable an Active Directory user to log in to a vCenter Server instance by using the vSphere Client with SSPI, you must join the vCenter Server instance to the Active Directory domain. For information about joining a vCenter Server Appliance with an external Platform Services Controller to an Active Directory domain, see the VMware knowledge base article at http://kb.vmware.com/kb/2118543.

Prerequisites

Verify that the user name you use to log in to the vCenter Server instance in the vCenter Server Appliance is a member of the SystemConfiguration.Administrators group in vCenter Single Sign-On.

Procedure

Use the vSphere Web Client to log in as administrator@your_domain_name to the vCenter Server instance in the vCenter Server Appliance.

The address is of the type http://appliance-IP-address-or-FQDN/vsphere-client.
Under Deployment, click System Configuration.
Under System Configuration, click Nodes.
Under Nodes, select a node and click the Manage tab.
Under Advanced, select Active Directory, and click Join.

Enter the Active Directory details.

Option	Description
Domain	Active Directory domain name, for example, mydomain.com. Do not provide an IP address in this field.
Organizational unit	Optional. The full OU LDAP FQDN, for example, OU=Engineering,DC=mydomain,DC=com. Important: Use this field only if you are familiar with LDAP.
User name	User name in User Principal Name (UPN) format, for example, jchin@mydomain.com. Important: Down-level login name format, for example, DOMAIN\UserName, is unsupported.
Password	Password of the user.

Click OK to join the vCenter Server Appliance to the Active Directory domain.

The operation silently succeeds and you can see that the Join button turned to Leave.
Right-click the node you edited and select Reboot to restart the appliance so that the changes are applied.

Important:
If you do not restart the appliance, you might encounter problems when using the vSphere Web Client.
Navigate to Administration > Single Sign-On > Configuration.
On the Identity Sources tab, click the Add Identity Source icon.

Select Active Directory (Integrated Windows Authentication), enter the identity source settings of the joined Active Directory domain, and click OK.

Table 1. Add Identity Source Settings
Field	Description
Domain name	FDQN of the domain. Do not provide an IP address in this field.
Use machine account	Select this option to use the local machine account as the SPN. When you select this option, you specify only the domain name. Do not select this option if you expect to rename this machine.
Use Service Principal Name (SPN )	Select this option if you expect to rename the local machine. You must specify an SPN, a user who can authenticate with the identity source, and a password for the user.
Service Principal Name (SPN)	SPN that helps Kerberos to identify the Active Directory service. Include the domain in the name, for example, STS/example.com. You might have to run setspn -S to add the user you want to use. See the Microsoft documentation for information on setspn. The SPN must be unique across the domain. Running setspn -S checks that no duplicate is created.
User Principal Name (UPN)	Name of a user who can authenticate with this identity source. Use the email address format, for example, jchin@mydomain.com. You can verify the User Principal Name with the Active Directory Service Interfaces Editor (ADSI Edit).
Password	Password for the user who is used to authenticate with this identity source, which is the user who is specified in User Principal Name. Include the domain name, for example, jdoe@example.com.

Results

On the Identity Sources tab, you can see the joined Active Directory domain.

What to do next

You can configure permissions for users and groups from the joined Active Directory domain to access the vCenter Server components. For information about managing permissions, see the vSphere Security documentation.