You can join a Platform Services Controller appliance or a vCenter Server Appliance with an embedded Platform Services Controller to an Active Directory domain. You can attach the users and groups from this Active Directory domain to your vCenter Single Sign-On domain.

Important: Joining a Platform Services Controller appliance or a vCenter Server Appliance with an embedded Platform Services Controller to an Active Directory domain with a read-only domain controller (RODC) is unsupported. You can join a Platform Services Controller or a vCenter Server Appliance with an embedded Platform Services Controller only to an Active Directory domain with a writable domain controller.

If you want to configure permissions for users and groups from an Active Directory domain to access the vCenter Server components, you must join its associated embedded or external Platform Services Controller instance to the Active Directory domain.

For example, to enable an Active Directory user to log in to the vCenter Server instance in a vCenter Server Appliance with an embedded Platform Services Controller by using the vSphere Web Client with Windows session authentication (SSPI), you must join the vCenter Server Appliance to the Active Directory domain and assign the Administrator role to this user. To enable an Active Directory user to log in to a vCenter Server instance that uses an external Platform Services Controller appliance by using the vSphere Web Client with SSPI, you must join the Platform Services Controller appliance to the Active Directory domain and assign the Administrator role to this user.

Prerequisites

  • Verify that the user who logs in to the vCenter Server instance in the vCenter Server Appliance is a member of the SystemConfiguration.Administrators group in vCenter Single Sign-On.

  • Verify that the system name of the appliance is an FQDN. If, during the deployment of the appliance, you set an IP address as a system name, you cannot join the vCenter Server Appliance to an Active Directory domain.

Procedure

  1. Use the vSphere Web Client to log in as administrator@your_domain_name to the vSphere Web Client instance in the vCenter Server Appliance.
    The address is of the type http:// appliance-IP-address-or-FQDN/vsphere-client.
  2. On the vSphere Web Client, click Deployment > Administration > Nodes.
  3. Select a node, and click the Manage tab.
  4. Select Active Directory, and click Join.
  5. Enter the Active Directory details.
    Option Description
    Domain Active Directory domain name, for example, mydomain.com. Do not provide an IP address in this text box.
    Organizational unit Optional. The full OU LDAP FQDN, for example, OU=Engineering,DC=mydomain,DC=com.
    Important: Use this text box only if you are familiar with LDAP.
    User name User name in User Principal Name (UPN) format, for example, [email protected].
    Important: Down-level login name format, for example, DOMAIN\UserName, is unsupported.
    Password Password of the user.
  6. Click OK to join the vCenter Server Appliance to the Active Directory domain.
    The operation silently succeeds and you can see the Join button turned to Leave.
  7. Right-click the node you edited and select Reboot to restart the appliance so that the changes are applied.
    Important: If you do not restart the appliance, you might encounter problems when using the vSphere Web Client.
  8. Navigate to Administration > Single Sign-On > Configuration.
  9. On the Identity Sources tab, click the Add Identity Source icon.
  10. Select Active Directory (Integrated Windows Authentication), enter the identity source settings of the joined Active Directory domain, and click OK.
    Table 1. Add Identity Source Settings
    Text Box Description
    Domain name FDQN of the domain. Do not provide an IP address in this text box.
    Use machine account Select this option to use the local machine account as the SPN. When you select this option, you specify only the domain name. Do not select this option if you expect to rename this machine.
    Use Service Principal Name (SPN) Select this option if you expect to rename the local machine. You must specify an SPN, a user who can authenticate with the identity source, and a password for the user.
    Service Principal Name (SPN) SPN that helps Kerberos to identify the Active Directory service. Include the domain in the name, for example, STS/example.com.

    You might have to run setspn -S to add the user you want to use. See the Microsoft documentation for information on setspn.

    The SPN must be unique across the domain. Running setspn -S checks that no duplicate is created.

    User Principal Name (UPN) Name of a user who can authenticate with this identity source. Use the email address format, for example, [email protected]. You can verify the User Principal Name with the Active Directory Service Interfaces Editor (ADSI Edit).
    Password Password for the user who is used to authenticate with this identity source, which is the user who is specified in User Principal Name. Include the domain name, for example, [email protected].

Results

On the Identity Sources tab, you can see the joined Active Directory domain.

What to do next

You can configure permissions for users and groups from the joined Active Directory domain to access the vCenter Server components. For information about managing permissions, see the vSphere Security documentation.