Users can log in to vCenter Server only if they are in a domain that has been added as a vCenter Single Sign-On identity source. vCenter Single Sign-On administrator users can add identity sources, or change the settings for identity sources that they added.

An identity source can be a native Active Directory (Integrated Windows Authentication) domain or an OpenLDAP directory service. For backward compatibility, Active Directory as an LDAP Server is also available. See Identity Sources for vCenter Server with vCenter Single Sign-On.

Immediately after installation, the following default identity sources and users are available:

localos

All local operating system users. If you are upgrading, those localos users who can already authenticate can continue to authenticate. Using the localos identity source does not make sense in environments that use an embedded Platform Services Controller.

vsphere.local

Contains the vCenter Single Sign-On internal users.

Prerequisites

If you are adding an Active Directory identity source, the vCenter Server Appliance or the vCenter Server Windows machine must be in the Active Directory domain. See Add a Platform Services Controller Appliance to an Active Directory Domain.

Procedure

  1. Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.

    If you specified a different domain during installation, log in as administrator@mydomain.

  3. Navigate to the Configuration UI.
    1. From the Home menu, select Administration.
    2. Under Single Sign On, click Configuration.
  4. Click Identity Sources, and click Add Identity Source.
  5. Select the identity source and enter the identity source settings.

    Option

    Description

    Active Directory (Integrated Windows Authentication)

    Use this option for native Active Directory implementations. The machine on which the vCenter Single Sign-On service is running must be in an Active Directory domain if you want to use this option.

    See Active Directory Identity Source Settings.

    Active Directory over LDAP

    This option is available for backward compatibility. It requires that you specify the domain controller and other information. See Active Directory LDAP Server and OpenLDAP Server Identity Source Settings.

    OpenLDAP

    Use this option for an OpenLDAP identity source. See Active Directory LDAP Server and OpenLDAP Server Identity Source Settings.

    Local operating system of SSO server

    Use this option for the SSO server's local operating system.

    Note:

    If the user account is locked or disabled, authentications and group and user searches in the Active Directory domain fail. The user account must have read-only access over the User and Group OU, and must be able to read user and group attributes. Active Directory provides this access by default. Use a special service user for improved security.

  6. Click Add.

What to do next

When an identity source is added, all users can be authenticated but have the No access role. A user with vCenter Server Modify.permissions privileges can give users or groups of users privileges. The privileges enable the users or groups to log in to vCenter Server and to view and manage objects. You can configure permissions so that users and groups from a joined Active Directory domain can access the vCenter Server components. See the vSphere Security documentation.