You can configure an Active Directory over LDAP/IWA link to support user authentication using the Directories Management feature to configure a link to Active Directory to support user authentication for all tenants and select users and groups to sync with the Directories Management directory.

For information and instructions about using OpenLDAP with Directories Management, see Configure an OpenLDAP Directory Connection.

For Active Directory (Integrated Windows Authentication), when you have multi-forest Active Directory configured and the Domain Local group contains members from domains in different forests, make sure that the Bind user is added to the Administrators group of the domain in which the Domain Local group resides. If you fail to do this, these members will be missing from the Domain Local group.


  • Select the required default attributes and add additional attributes on the User Attributes page. See Select Attributes to Sync with Directory.

  • List of the Active Directory groups and users to sync from Active Directory.

  • If your Active Directory requires access over SSL or STARTTLS, the Root CA certificate of the Active Directory domain controller is required.

  • Log in to the vRealize Automation console as a tenant administrator.


  1. Select Administration > Directories Management > Directories.
  2. Click Add Directory and select Add Active Directory over LDAP/IWA.
  3. On the Add Directory page, specify the IP address for the Active Directory server in the Directory Name text box.
  4. Select the appropriate Active Directory communication protocol using the radio buttons under the Directory Name text box.



    Windows Authentication

    Select Active Directory (Integrated Windows Authentication). For Active Directory Integrated Windows Authentication, required information includes the domain's Bind user UPN address and password.


    Select Active Directory over LDAP. For Active Directory over LDAP, information required includes the Base DN, Bind DN, and Bind DN password.

  5. Configure the connector that synchronizes users from the Active Directory to the VMware Directories Management directory in the Directory Sync and Authentication section.



    Sync Connector

    Select the appropriate connector to use for your system. Each vRealize Automation appliance contains a default connector. Consult your system administrator if you need help in choosing the appropriate connector.


    Click the appropriate radio button to indicate whether the selected connector also performs authentication.

    Directory Search Attribute

    Select the appropriate account attribute that contains the user name. VMware recommends using the sAMAccount attribute rather than userPrincipleName. If you use userPrincipleName for sync operations, integration with second and third party software that requires a user name may not function correctly.


    If you select sAMAccountName when using a global catalog, indicated by selecting theThis Directory has a Global Catalog check box in the Server Location area, users will be unable to log in.

  6. Enter the appropriate information in the Server Location text box if you selected Active Directory over LDAP, or enter information in the Join Domain Details text boxes if you selected Active Directory (Integrated Windows Authentication).



    Server Location - Displayed when Active Directory over LDAP is selected

    • If you want to use DNS Service Location to locate Active Directory domains, leave the This Directory supports DNS Service Location check box selected.


      You cannot change the port assignment to 636 if you select this option.

      A file, auto-populated with a list of domain controllers, is created along with the directory. See About Domain Controller Selection.

      If the Active Directory requires STARTTLS encryption, select the This Directory requires all connections to use STARTTLS check box in the Certificates section and copy and paste the Active Directory Root CA certificate in the SSL Certificate field.

    • If the specified Active Directory does not use DNS Service Location lookup, deselect the check box beside This Directory supports DNS Service Location in the Server Location fields and enter the Active Directory server host name and port number in the appropriate text boxes.

      Select the This Directory has a Global Catalog check box if the associated Active Directory uses a global catalog. A global catalog contains a representation of all objects in every domain in a multi-domain Active Directory forest.

      To configure the directory as a global catalog, see the Multi-Domain Single Forest Active Directory Environment section in Active Directory Environments.

      If Active Directory requires access over SSL, select the This Directory requires all connections to use SSL check box under the Certificates heading and provide the Active Directory SSL certificate.

      When you select this option, port 636 is used automatically and cannot be changed.

      Ensure that the certificate is in PEM format and includes the BEGIN CERTIFICATE and END CERTIFICATE lines.

    Join Domain Details - Displayed when Active Directory (Integrated Windows Authentication) is selected

    Enter the appropriate credentials in the Domain Name, Domain Admin User Name, and Domain Admin Password text boxes.

    If the Active Directory requires STARTTLS encryption, select the This Directory requires all connections to use STARTTLS check box in the Certificates section and copy and paste the Active Directory Root CA certificate in the SSL Certificate field.

  7. In the Bind User Details section, enter the appropriate credentials to facilitate directory synchronization.

    For Active Directory over LDAP:



    Base DN

    Enter the search base distinguished name. For example, cn=users,dc=corp,dc=local.

    Bind DN

    Enter the bind distinguished name. For example, cn=fritz infra,cn=users,dc=corp,dc=local

    For Active Directory (Integrated Windows Authentication):



    Bind User UPN

    Enter the User Principal Name of the user who can authenticate with the domain. For example,

    Bind DN Password

    Enter the Bind User password.

  8. Click Test Connection to test the connection to the configured directory.

    This button does not appear if you selected Active Directory (Integrated Windows Authentication).

  9. Click Save & Next.

    The Select the Domains page appears with the list of domains.

  10. Review and update the domains listed for the Active Directory connection.
    • For Active Directory (Integrated Windows Authentication), select the domains that should be associated with this Active Directory connection.

    • For Active Directory over LDAP, the available domain is listed with a checkmark.


      If you add a trusting domain after the directory is created, the service does not automatically detect the newly trusting domain. To enable the service to detect the domain, the connector must leave and then rejoin the domain. When the connector rejoins the domain, the trusting domain appears in the list.

  11. Click Next.
  12. Verify that the Directories Management directory attribute names are mapped to the correct Active Directory attributes.

    If the directory attribute names are not mapped correctly, select the correct Active Directory attribute from the drop-down menu.

  13. Click Next.
  14. Click Add to select the groups you want to sync from Active Directory to the directory.

    When you add a group from Active Directory, if members of that group are not in the Users list, they are added. When you sync a group, any users that lack Domain Users as their primary group in Active Directory are not synced.


    The Directories Management user authentication system imports data from Active Directory when adding groups and users, and the speed of the system is limited by Active Directory capabilities. As a result, import operations may require significant time depending on the number of groups and users being added. To minimize the potential for delays or problems, limit the number of groups and users to only those required for vRealize Automation operation.

    If your system performance degrades or if errors occur, close any unneeded applications and ensure that your system has appropriate memory allocated to Active Directory. If problems persist, increase the Active Directory memory allocation as needed. For systems with a large number of users and groups, you may need to increase the Active Directory memory allocation to as much as 24 GB.

  15. Click Next.
  16. Click Add to add additional users.

    The appropriate values are as follows:

    • Single user: CN=username,CN=Users,OU=Users,DC=myCorp,DC=com

    • Multiple users: OU=Users,OU=myUnit,DC=myCorp,DC=com

    To exclude users, click Add to create a filter to exclude some types of users. You select the user attribute to filter by, the query rule, and the value.

  17. Click Next.
  18. Review the page to see how many users and groups are syncing to the directory.

    If you want to make changes to users and groups, click the Edit links.


    Ensure that you specify user DNs that are under the Base DN specified previously. If the user DN is outside of the Base DN, users from that DN are synced but will be unable to log in.

  19. Click Push to Workspace to start the synchronization to the directory.


The connection to the Active Directory is complete and the selected users and groups are added to the directory. You can now assign user and groups to the appropriate vRealize Automation roles by selecting Administration > Users and Groups > Directory Users and Groups. See Assign Roles to Directory Users or Groups for more information.

What to do next

If your vRealize Automation environment is configured for high availability, you must specifically configure Directories Management for high availability. See Configure Directories Management for High Availability.

  • Set up authentication methods. After users and groups sync to the directory, if the connector is also used for authentication, you can set up additional authentication methods on the connector. If a third party is the authentication identity provider, configure that identity provider in the connector.

  • Review the default access policy. The default access policy is configured to allow all appliances in all network ranges to access the Web browser, with a session time out set to eight hours or to access a client app with a session time out of 2160 hours (90 days). You can change the default access policy and when you add Web applications to the catalog, you can create new ones.

  • Apply custom branding to the administration console, user portal pages and the sign-in screen.