Get started Bring yourself up to speed with our introductory content.

Introduction to alternate authentication with vCenter SSO

Starting with vSphere 5, VMware brought single sign-on functionality to vCenter to give administrators another way to manage identities.

Version 5 of vSphere introduced single sign-on (SSO) infrastructure, implemented primarily to allow the infrastructure, such as vCenter and the Web Client, to be put on separate virtual machines. SSO is the communication conduit that allows administrators to avoid putting everything on one vCenter Server. However, a lot of people misunderstand what SSO is and how it works.

What is SSO?

SSO is an alternate authentication system for VMware user management, service management and authentication. VCenter SSO sits alongside Active Directory (AD) infrastructure as another authentication method for vCenter.

Those who have run the "simple install" for vCenter need not worry about implementing SSO, as it will enumerate and add the current AD setup when given the correct credentials. Make sure to run the installation while logged in as a domain administrator, not a local administrator; otherwise, there will be issues adding domain users into vCenter.

How to set up vCenter SSO

For those who have multiple domains -- or simply wish to add a new one -- the process of implementing SSO is straightforward. New users should note that most SSO modifications need to be done through the Web Client.

In a fresh installation, be mindful of the two different user accounts. The first is [email protected], the SSO administration account. The other account -- [email protected] -- is the SSO user for the vCenter appliance. This [email protected] account has no rights to modify or interact with the actual VM infrastructure. It can only be used to modify SSO users, security credentials and sign-on settings. In the image below we are using the [email protected] account. You can always see which account you are using by looking up at the top-right corner of the Web Client.

The current user in the vSphere Web Client.The vSphere Web Client displays both the vSphere inventory and the logged-in user in the top-right corner of the screen.

The administrator account -- [email protected] -- can interact with VMs, networks and storage. However, don't be confused; this is still an SSO user and not the domain user.

How to add domains

If no AD domains are listed while trying to add users to vCenter, fix this by logging into the Web Client using the [email protected] credentials.

To add domains to vCenter to give rights to users, log in using the password you set when you did the basic install. You will notice many options in the Web Client are grayed out; this is normal because this is just an SSO account.

Next, navigate to Administration>Sign on and Discovery>Identity Sources. This will show all the identity sources installed. To add a new domain for vCenter, click the green + symbol to open the configuration screen. The most common option to pick is Active Directory, but if you need to configure a non-AD Lightweight Directory Access Protocol (LDAP) setup, you can use OpenLDAP.

The last option, Local OS, passes through credentials from an OS level. You can only pick one domain, and this usually has been configured already. For example, in my setup you can see the "VCENTER" entry.

SSO configuration.Configure SSO for the new domain in the vSphere Web Client.

If you want to add an AD domain, select Active Directory and fill out the Identity Source information. You will need a secondary domain controller, because putting the same controller information in both domains will create an error and halt the process.

Once you implement the secondary domain controller, vCenter will process the request. Any issues or errors will appear on the left-hand side. To edit the request, double click on the "Work in Progress" box to display the populated data. If you are not sure of LDAP conventions or what the LDAP setup is, you can use ADSI Edit to get this information from the domain controller.

How to add permissions in the new domain

To test the new domain in the vSphere Windows client, log off then log back in. Select your preferred view, navigate to the permissions tab, right-click in the white space and select "Add permissions." Under Users and Groups, select Add and then Domain from the drop-down list. You should see the domain users listed. Assign the roles to the users on the left-hand side and click OK. I would recommend that you create a domain-based group that contains only administrators.

Adding roles to domain users.Add roles to users in the domain using the vSphere Windows client.

To do the same in the Web Client, log in as the administrator. From the menu on the left-hand side, select your preferred view from the inventory tree. On the right-hand side of the Web Client, click on Permissions and then the green + button. From this point on, it is identical to the Windows client version; select the authentication domain and check that the AD domain is there.

Adding permissions in the Web Client.Use the vSphere Web Client to add permissions to users and groups.

SSO growing in importance

Understanding SSO will be more important in newer versions of vCenter. If you are interested in reading and understanding more about SSO, start with the vSphere 5.1 manual here.

As an addendum, VMware recommends that administrators with large sites upgrade from the 5.1 SSO to the latest SSO for added functionality and reliability. This process is relatively simple and does not require a vCenter upgrade.

Dig Deeper on Troubleshooting VMware products