Identity Sources for vCenter Server with vCenter Single Sign-On

You can use identity sources to attach one or more domains to vCenter Single Sign-On. A domain is a repository for users and groups that the vCenter Single Sign-On server can use for user authentication.

Note: In vSphere 7.0 Update 2 and later, you can enable FIPS on vCenter Server. See the vSphere Security documentation. AD over LDAP and IWA are not supported when FIPS is enabled. Use external identity provider federation when in FIPS mode. See Configuring vCenter Server Identity Provider Federation.

An administrator can add identity sources, set the default identity source, and create users and groups in the vsphere.local identity source.

The user and group data is stored in Active Directory, OpenLDAP, or locally to the operating system of the machine where vCenter Single Sign-On is installed. After installation, every instance of vCenter Single Sign-On has the identity source your_domain_name, for example vsphere.local. This identity source is internal to vCenter Single Sign-On.

Note: At any time, only one default domain exists. If a user from a non-default domain logs in, that user must add the domain name to authenticate successfully. The domain name is in the form:

DOMAIN\user

The following identity sources are available.

Active Directory over LDAP. vCenter Single Sign-On supports multiple Active Directory over LDAP identity sources.
Active Directory (Integrated Windows Authentication) versions 2003 and later. vCenter Single Sign-On allows you to specify a single Active Directory domain as an identity source. The domain can have child domains or be a forest root domain. VMware KB article 2064250 discusses Microsoft Active Directory Trusts supported with vCenter Single Sign-On.
OpenLDAP versions 2.4 and later. vCenter Single Sign-On supports multiple OpenLDAP identity sources.

Note: A future update to Microsoft Windows will change the default behavior of Active Directory to require strong authentication and encryption. This change will impact how vCenter Server authenticates to Active Directory. If you use Active Directory as your identity source for vCenter Server, you must plan to enable LDAPS. For more information about this Microsoft security update, see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023 and https://blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere-channel-binding-signing-adv190023.html.