Although it is possible to authenticate to a VMware vCenter Server (VCSA) server with a local user account (defined on that server), it is also possible to join that server to an Active Directory domain to be able to log in. authenticate with a user in your Active Directory domain.

1. Join vCenter Server (VCSA) to an Active Directory domain
2. Add an identity source
3. View list of Active Directory users
4. Add a member to a group
5. Logging in with an Active Directory user account

1. Join vCenter Server (VCSA) to an Active Directory domain

To get started, log in as "administrator@vsphere.local" to your VMware vCenter Server via the address: https://vcsa.informatiweb.lan/ui/
Then go to: Menu -> Administration.

Then, in the left menu, go to: Single Sign-On -> Configuration.
Then, in the “Active Directory Domain” tab, click: Join AD.

In the "Join Active Directory Domain" box that appears, indicate:

• Domain: the name of the Active Directory domain to join.
• Organizational Unit (optional): the organizational unit (folder) in which to create the computer account for your vCenter Server on your Active Directory domain controller.
  For example, if you created an organizational unit "ESXi_Servers" at the root of your AD domain "domain.lan", you would specify this LDAP path: OU=ESXi_Servers,DC=domain,DC=lan
• Username: name of the user in the format "[AD user account name]@[ad domain name where the user is located]" who has the necessary permissions to join a computer/server to your domain Active Directory.
  In our case, we used the Administrator account of our AD domain.
  Note that the format "[NETBIOS domain name]\[username]" is NOT supported.
• Password: password of this user.

Then click: Join.

Important : using a read-only domain controller (RODC) is not supported.

Once the join to your AD domain is complete, this message will be displayed:

Node vcsa.informatiweb.lan has joined the active directory successfully. Reboot the node to apply changes.

To restart your VMware vCenter Server from this vSphere Client:

• go to "Deployment -> System Configuration"
• select the server you just joined to your AD domain
• click: Reboot node

Specify a reason for restarting the node and click: Reboot.
For example: Joining the Active Directory.

Note that restarting this node will have several consequences:

• stopping current tasks
• temporary disconnection of users who are currently connected to it
• the DRS (Distributed Resource Scheduler) and vMotion (migrating VMs from one host to another) features will be temporarily unavailable
• if a PSC is present on this node, SSO, license management and the certificates present on it will be temporarily unavailable

The list of nodes reappears.

If you open the VCSA (vCenter Server Appliance) console from the "VMware Host Client" web interface of your VMware ESXi host, you will see that the shutdown may take a few minutes.

Plain Text

[ ***] (1 of 2) A stop job is running for VMware Service Lifecycle Manager (40s / 3min)

Once the reboot is complete, the blue and gray VCSA console (if applicable) will reappear.

If you try to access the VCSA web interface too quickly, you may receive this error:

503 Service Unavailable (Failed to connect to endpoint: [N7Vmacore4Http20 NamedPipeServiceSpecE:0x0000560c737eed50] _...

If this is the case, wait another 1 minute and try again, now the "VMware vSphere" login page will appear without problem.
This is simply because VMware vCenter Server is made up of many services and therefore it takes time before all of these services have finished starting.

To see information about joining your Active Directory domain, go back to: Menu -> Administration -> Single Sign-On -> Configuration -> Active Directory Domain.
As you can see, our server "vcsa.informatiweb.lan" is joined to the Active Directory domain "INFORMATIWEB.LAN" and the LDAP path for the OU had not been specified.

2. Add an identity source

To add an identity source, go to: Menu -> Administration -> Single Sign-On -> Configuration -> Identity Sources.
Then, click on: Add identity source.

Since you just linked your vCenter Server to your Active Directory domain, you can add the identity source for the same Active Directory domain more quickly.

For that :

• select "Identity source type: Active Directory (Windows Integrated Authentication)".
• indicate the domain name you just joined.
• select "Use machine account." This AD object was automatically created on your domain controller when you joined your vCenter Server to your Active Directory domain.
• click: Add.

The new identity source of type "Active Directory (Windows Integrated Authentication)" appears in the list.

3. View list of Active Directory users

As explained previously, adding an identity source allows you to use user accounts present on an Active Directory domain controller to connect to this vSphere Client.
To check this, go to: Single Sign-On -> Users and Groups -> Users.

By default, the selected domain and the SSO domain created when deploying VMware vCenter Server (or VCSA).
The default SSO domain is "vsphere.local".

If you open the "Domain" list, you will see your Active Directory domain appear.
If you select it, you will see that the list of users present in this Active Directory domain will appear.

For example: in our case, we can see our user "InformatiUser" appear.

4. Add a member to a group

As a demonstration, we will add a user from our Active Directory domain to the “Administrators” group of vCenter Server.
To do this, go to the “Groups” tab and click on the group name “Administrators”.

Next, click on the link: Add Members.

In the "Add Members" line, select your Active Directory domain name (eg: informatiweb.lan) from the list, then type the name of a user in the following box.
In our case, we specify "Administrator" and vCenter Server finds the "Administrator" user account in our Active Directory domain.

Click on this user's name.

The Administrator account appears in the list of members of this group.
Click Save.

As you can see, the user from our Active Directory domain has been added to the "Administrators" group of VMware vCenter Server.

5. Logging in with an Active Directory user account

Log out of the vSphere Client (by clicking your username at the top right of the page), then attempt to log in with the Active Directory user account you just added to the VMware "Administrators" group vCenterServer.

In our case, we therefore indicate:

• Administrator@informatiweb.lan
• his password

Then we click on Login.

As expected, we have access to the vSphere Client and we have as many rights as before given that our user account is part of the "Administrators" group of VMware vCenter Server.