- Active Directory (Integrated Windows Authentication)
- Active Directory as an LDAP server
Note: there are underlying issues using ‘AD Integrated Windows Authentication’ when VMware SRM is part of a solution.
The chosen SSO identity source outlined in this example is ‘Active Directory as an LDAP Server’. This is also the identity source configuration used for an EHC solution.
The following steps detail how to add AD LDAP authentication in vCenter 6.0 (PSC):
2. Navigate to Administration->Single-sign-on->Configuration, then click the ‘Identity Sources’ tab.
3. Click the green + to add a new identity source.
4. Select Active Directory as an LDAP server and fill in the details. The following images provide an example configuration:
5. Click on the ‘Test Connection’ button in order to validate AD connectivity is successful.
Now that the AD identity source is configured and AD connectivity has been validated you can proceed to add AD user(s) to the SSO administrators group.
Note: Adding Groups is not supported – Assign only individual users from your Active Directory to the vCenter Single Sign-On Administrators group. Please refer to the following VMware KB:
Assigning AD User to the vCenter Single Sign-On Administrators group:
1. Under SSO select ‘Users and Groups’
2. Select the ‘Groups’ tab and chose ‘Administrators’ from the list provided. Under ‘Group Members’ click the green + member icon:
3. Select your domain and add your desired users to the SSO Administrators group:
Default EHC vCenter SSO administrators: app_nsx_sso, app_vro_sso, ehc_sysadmin
Assigning vCenter Server Roles
From the web client Click on ‘Home’, ‘vCenter Inventory Lists’, ‘vCenter Severs’:
Click on your desired vCenter server, ‘Manage’ and chose ‘permissions’ and click the green + to add and assign roles:
In the case of EHC the following roles apply:
– Add the DOMAIN\VC_Admins and assign the group the Administrator role.
– Add the DOMAIN\VC_App_Logins_RW and assign the group the
– Add the DOMAIN\VC_ReadOnly and assign the group the Read Only role.
– Add the DOMAIN\VC_App_Logins_RO and assign the group the Read Only