You can add a domain to vSphere Authentication from the vSphere Web Client or by using the camconfig command.

You can add a domain to vSphere Authentication Proxy only after you enable the proxy. After you add the domain, vSphere Authentication Proxy adds all hosts that you provision with Auto Deploy to that domain. For other hosts, you can also use vSphere Authentication Proxy if you do not want to give those hosts domain privileges.


  1. Log in to the vCenter Server appliance or the vCenter Server Windows machine as a user with administrator privileges.
  2. Run the command to enable access to the Bash shell.
  3. Go to the directory where the camconfig script is located.



    vCenter Server Appliance


    vCenter Server Windows

    C:\Program Files\VMware\CIS\vmcamd\

  4. Run the following command to add the domain and user Active Directory credentials to the Authentication Proxy configuration.
    camconfig add-domain -d domain -u user

    You are prompted for a password.

    vSphere Authentication Proxy caches that username and password. You can remove and recreate the user as needed. The domain must be reachable via DNS, but does not have to be a vCenter Single Sign-On identity source.

    vSphere Authentication Proxy will use the username specified by user to create the accounts for ESXi hosts in Active Directory, so the user must have privileges to create accounts in the Active Directory domain to which you are adding the hosts. At the time of writing of this information, Microsoft Knowledge Base article 932455 had background information for account creation privileges.

  5. If you later want to remove the domain and user information from vSphere Authentication Proxy, run the following command.
    camconfig remove-domain -d domain