VMware single sign-on (SSO) with Active Directory

After installing VMware vCenter Server Appliance (VCSA) 6.5, we only have a "vSphere.local" single sign-on (SSO) domain where we can create users and groups. But wouldn't it be better if you could integrate your existing Microsoft Active Directory (AD) environment with your organizational structure of groups and users? You don't have to start over creating these just for VMware. We just need to link the AD environment to the VMware SSO.

Author
Recent Posts

Vladan Seget

Vladan Seget is an independent consultant, professional blogger, vExpert 2009-2021, VCAP-DCA/DCD and MCSA. He has been working for over 20 years as a system engineer.

Latest posts by Vladan Seget (see all)

How to use VMware vSAN ReadyNode Configurator - Fri, Dec 17 2021
VMware Tanzu Kubernetes Toolkit version 1.3 new features - Fri, Dec 10 2021
Disaster recovery strategies for vCenter Server appliance VM - Fri, Nov 26 2021

We also have to grant some permissions to the enterprise AD administrator, otherwise, he or she will not be able to manage the environment.

I assume that you have already fired up the vSphere web client and logged in using the administrator@vsphere.local account and password we set up in our previous post. Once done, click the System Configuration button on the main screen. You'll end up in the System Configuration section. Click the Nodes section on the left.

vCenter Server configuration Select nodes

All nodes will appear below. As we have only a single node (we're not using vCenter's linked mode), select the node > Manage tab > Active Directory > Join button.

Join vCenter to Active Directory

Enter the necessary details. As you can see, a message says you have to reboot the node manually.

Reboot after joining vCenter to Active Directory

After the reboot, you'll have to wait a few minutes until all services are up and the vSphere web client initializes itself.

Log back in, and from the main screen, click the Home button and Administration. Under Single Sign-On, select the Configuration menu, the Identity Source tab and then click the green + sign to Add identity source.

vSphere 6.5 Select an identity source type

Four options appear. We'll stick with Active Directory (Integrated Windows Authentication).

On the next page, the domain should already display with the Use machine account radio button pre-selected.

Add an identity source to vSphere single sign on

Click the Next button and then Finish. You should see the Identity Sources tab populated with your Active Directory.

Windows AD added as an identity source

As mentioned at the beginning, we'll need to grant a few permissions for the domain administrator (or any other account) to manage the vSphere environment.

On the same page, move one level up to the Access control section and select Global Permissions.

Click Add a new user and then select the user from the Active Directory.

Select a user from your domain to assign global permissions

Next, validate by clicking the OK button.

This is just first part of the procedure. We still have to add the domain administrator to some vSphere.local groups. We'll do that in a second.

Select Users and Groups > Groups tab > Administrators. Add the domain admin account to the local administrators group.

Add the domain administrator to a local administrators group

Click the Add button and validate with the OK button. Repeat the procedure for ComponentManager.Administrators, LicenseService.Administrators, CAAdmins, SystemConfiguration.Administrators, SystemConfiguration.BashShellAdministrators and Users.

You should now be able to log in as a domain admin. And if you're already logged in as a domain admin on your system, you can simply check the box to Use Windows session authentication.