You can use identity sources to attach one or more domains to vCenter Single Sign-On. A domain is a repository for users and groups that the vCenter Single Sign-On server can use for user authentication.

Starting in vSphere 7.0, vCenter Server supports federated authentication to sign in to vCenter Server. VMware encourages you to use federated authentication as vSphere moves towards token-based authentication. See #GUID-0A3A19E6-150A-493B-8B57-37E19AB420F2.

An administrator can add identity sources, set the default identity source, and create users and groups in the vsphere.local identity source.

The user and group data is stored in Active Directory, OpenLDAP, or locally to the operating system of the machine where vCenter Single Sign-On is installed. After installation, every instance of vCenter Single Sign-On has the identity source your_domain_name, for example vsphere.local. This identity source is internal to vCenter Single Sign-On.

Note: At any time, only one default domain exists. If a user from a non-default domain logs in, that user must add the domain name ( DOMAIN\ user) to authenticate successfully.

The following identity sources are available.

  • Active Directory over LDAP. vCenter Single Sign-On supports multiple Active Directory over LDAP identity sources.
  • Active Directory (Integrated Windows Authentication) versions 2003 and later. vCenter Single Sign-On allows you to specify a single Active Directory domain as an identity source. The domain can have child domains or be a forest root domain. VMware KB article 2064250 discusses Microsoft Active Directory Trusts supported with vCenter Single Sign-On.
  • OpenLDAP versions 2.4 and later. vCenter Single Sign-On supports multiple OpenLDAP identity sources.
Note: A future update to Microsoft Windows will change the default behavior of Active Directory to require strong authentication and encryption. This change will impact how vCenter Server authenticates to Active Directory. If you use Active Directory as your identity source for vCenter Server, you must plan to enable LDAPS. For more information about this Microsoft security update, see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023 and https://blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere-channel-binding-signing-adv190023.html.

For more information about vCenter Single Sign-On, see vSphere Authentication.