Users can log in to vCenter Server only if they are in a domain that has been added as a vCenter Single Sign-On identity source. vCenter Single Sign-On administrator users can add identity sources, or change the settings for identity sources that they added.

An identity source can be an Active Directory over LDAP, a native Active Directory (Integrated Windows Authentication) domain, or an OpenLDAP directory service. See Identity Sources for vCenter Server with vCenter Single Sign-On.

Immediately after installation, the vsphere.local domain (or the domain you specified during installation) with the vCenter Single Sign-On internal users is available.


If you have updated or replaced your Active Directory SSL certificate, you must remove and re-add the identity source in vCenter Server.


If you are adding an Active Directory (Integrated Windows Authentication) identity source, the vCenter Server must be in the Active Directory domain. See Add a vCenter Server to an Active Directory Domain.


  1. Log in with the vSphere Client to the vCenter Server.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  3. Navigate to the Configuration UI.
    1. From the Home menu, select Administration.
    2. Under Single Sign On, click Configuration.
  4. Under the Identity Provider tab, click Identity Sources, and click Add.
  5. Select the identity source and enter the identity source settings.
    Option Description
    Active Directory (Integrated Windows Authentication) Use this option for native Active Directory implementations. The machine on which the vCenter Single Sign-On service is running must be in an Active Directory domain if you want to use this option.

    See Active Directory Identity Source Settings.

    Active Directory over LDAP This option requires that you specify the domain controller and other information. See Active Directory over LDAP and OpenLDAP Server Identity Source Settings.
    OpenLDAP Use this option for an OpenLDAP identity source. See Active Directory over LDAP and OpenLDAP Server Identity Source Settings.

    If the user account is locked or disabled, authentications and group and user searches in the Active Directory domain fail. The user account must have read-only access over the User and Group OU, and must be able to read user and group attributes. Active Directory provides this access by default. Use a special service user for improved security.

  6. Click Add.

What to do next

Initially, each user is assigned the No Access role. A vCenter Server administrator must assign the user at least to the Read Only role before the user can log in. See the topic on using roles to assign privileges in the vSphere Security documentation.