When a vSphere Client or vCenter Server user connects to a ESX host, a connection is established with the VMware Host Agent process. The process uses the user names and passwords for authentication.

ESX uses the Pluggable Authentication Modules (PAM) structure for authentication when users access the ESX host using the vSphere Client, vSphere Web Access, or the service console. The PAM configuration for VMware services is located in /etc/pam.d/vmware-authd, which stores paths to authentication modules.

The default installation of ESX uses /etc/passwd authentication as Linux does, but you can configure ESX to use another distributed authentication mechanism. If you plan to use a third-party authentication tool instead of the ESX default implementation, see the vendor documentation for instructions. As part of setting up third-party authentication, you might be required to update the files in /etc/pam.d folder with new module information.

The reverse proxy in the VMware Host Agent (vmware-hostd) process listens on ports 80 and 443. vSphere Client or vCenter Server users connect to the host agent through these ports. The vmware-hostd process receives the user name and password from the client and forwards them to the PAM module to perform the authentication.

Authentication for vSphere Client Communications with ESX shows a basic example of how ESX authenticates transactions from the vSphere Client.

Note

CIM transactions also use ticket-based authentication in connecting with the vmware-hostd process.

Authentication for vSphere Client Communications with ESX
Authentication for vSphere client communications with ESX

ESX authentication transactions with vSphere Web Access and third-party network management clients are also direct interactions with the vmware-hostd process.

To make sure that authentication works efficiently for your site, perform basic tasks such as setting up users, groups, permissions, and roles, configuring user attributes, adding your own certificates, and determining whether you want to use SSL.