You can use identity sources to attach one or more domains to vCenter Single Sign-On. A domain is a repository for users and groups that the vCenter Single Sign-On server can use for user authentication.

Note: In vSphere 7.0 Update 2 and later, you can enable FIPS on vCenter Server. See the vSphere Security documentation. AD over LDAP is not supported when FIPS is enabled. Use external identity provider federation when in FIPS mode. See Configuring vCenter Server Identity Provider Federation.

An administrator can add identity sources, set the default identity source, and create users and groups in the vsphere.local identity source.

The user and group data is stored in Active Directory, OpenLDAP, or locally to the operating system of the machine where vCenter Single Sign-On is installed. After installation, every instance of vCenter Single Sign-On has the identity source your_domain_name, for example vsphere.local. This identity source is internal to vCenter Single Sign-On.

Note: At any time, only one default domain exists. If a user from a non-default domain logs in, that user must add the domain name to authenticate successfully. The domain name is in the form:
DOMAIN\user

The following identity sources are available.

  • Active Directory over LDAP. vCenter Single Sign-On supports multiple Active Directory over LDAP identity sources.
  • Active Directory (Integrated Windows Authentication) versions 2003 and later. vCenter Single Sign-On allows you to specify a single Active Directory domain as an identity source. The domain can have child domains or be a forest root domain. The VMware knowledge base article at https://kb.vmware.com/s/article/2064250 discusses Microsoft Active Directory Trusts supported with vCenter Single Sign-On.
  • OpenLDAP versions 2.4 and later. vCenter Single Sign-On supports multiple OpenLDAP identity sources.
Note: A Microsoft Windows update changed the default behavior of Active Directory to require strong authentication and encryption. This change impacts how vCenter Server authenticates to Active Directory. If you use Active Directory as your identity source for vCenter Server, you must enable LDAPS. For more information, see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023 and https://blogs.vmware.com/vsphere/2020/01/microsoft-ldap-vsphere-channel-binding-signing-adv190023.html.