Version 5 of vSphere introduced single sign-on (SSO) infrastructure, implemented primarily to allow the infrastructure, such as vCenter and the Web Client, to be put on separate virtual machines. SSO is the communication conduit that allows administrators to avoid putting everything on one vCenter Server. However, a lot of people misunderstand what SSO is and how it works.
What is SSO?
SSO is an alternate authentication system for VMware user management, service management and authentication. VCenter SSO sits alongside Active Directory (AD) infrastructure as another authentication method for vCenter.
Those who have run the "simple install" for vCenter need not worry about implementing SSO, as it will enumerate and add the current AD setup when given the correct credentials. Make sure to run the installation while logged in as a domain administrator, not a local administrator; otherwise, there will be issues adding domain users into vCenter.
How to set up vCenter SSO
For those who have multiple domains -- or simply wish to add a new one -- the process of implementing SSO is straightforward. New users should note that most SSO modifications need to be done through the Web Client.
In a fresh installation, be mindful of the two different user accounts. The first is admin@System-Domain, the SSO administration account. The other account -- root@System-Domain -- is the SSO user for the vCenter appliance. This root@System-Domain account has no rights to modify or interact with the actual VM infrastructure. It can only be used to modify SSO users, security credentials and sign-on settings. In the image below we are using the admin@System-Domain account. You can always see which account you are using by looking up at the top-right corner of the Web Client.
The administrator account -- admin@System-Domain -- can interact with VMs, networks and storage. However, don't be confused; this is still an SSO user and not the domain user.
How to add domains
If no AD domains are listed while trying to add users to vCenter, fix this by logging into the Web Client using the admin@System-Domain credentials.
To add domains to vCenter to give rights to users, log in using the password you set when you did the basic install. You will notice many options in the Web Client are grayed out; this is normal because this is just an SSO account.
Next, navigate to Administration>Sign on and Discovery>Identity Sources. This will show all the identity sources installed. To add a new domain for vCenter, click the green + symbol to open the configuration screen. The most common option to pick is Active Directory, but if you need to configure a non-AD Lightweight Directory Access Protocol (LDAP) setup, you can use OpenLDAP.
The last option, Local OS, passes through credentials from an OS level. You can only pick one domain, and this usually has been configured already. For example, in my setup you can see the "VCENTER" entry.
If you want to add an AD domain, select Active Directory and fill out the Identity Source information. You will need a secondary domain controller, because putting the same controller information in both domains will create an error and halt the process.
Once you implement the secondary domain controller, vCenter will process the request. Any issues or errors will appear on the left-hand side. To edit the request, double click on the "Work in Progress" box to display the populated data. If you are not sure of LDAP conventions or what the LDAP setup is, you can use ADSI Edit to get this information from the domain controller.
How to add permissions in the new domain
To test the new domain in the vSphere Windows client, log off then log back in. Select your preferred view, navigate to the permissions tab, right-click in the white space and select "Add permissions." Under Users and Groups, select Add and then Domain from the drop-down list. You should see the domain users listed. Assign the roles to the users on the left-hand side and click OK. I would recommend that you create a domain-based group that contains only administrators.
To do the same in the Web Client, log in as the administrator. From the menu on the left-hand side, select your preferred view from the inventory tree. On the right-hand side of the Web Client, click on Permissions and then the green + button. From this point on, it is identical to the Windows client version; select the authentication domain and check that the AD domain is there.
SSO growing in importance
Understanding SSO will be more important in newer versions of vCenter. If you are interested in reading and understanding more about SSO, start with the vSphere 5.1 manual here.
As an addendum, VMware recommends that administrators with large sites upgrade from the 5.1 SSO to the latest SSO for added functionality and reliability. This process is relatively simple and does not require a vCenter upgrade.