When a vSphere Client or vCenter Server user connects to ESXi, a connection is established with the VMware Host Agent process. The process uses the user names and passwords for authentication.

ESXi authenticates users accessing hosts using the vSphere Client or SDK. The default installation of ESXi uses a local password database for authentication.

ESXi uses the Pluggable Authentication Modules (PAM) structure for authentication when users access the ESXi host using the vSphere Client. The PAM configuration for VMware services is located in /etc/pam.d/system-auth-generic, which stores paths to authentication modules. Changes to this configuration affect all host services.

The reverse proxy in the VMware Host Agent process listens on ports 80 and 443. vSphere Client or vCenter Server users connect to the host agent through these ports. The host process receives the user name and password from the client and forwards them to the PAM module to perform the authentication.

The following figure shows a basic example of how the host authenticates transactions from the vSphere Client.


CIM transactions also use ticket-based authentication in connecting with the host process.

Authentication for vSphere Client Communications with ESXi
Authentication for vSphere client communications with ESXi

To make sure that authentication works efficiently for your site, perform basic tasks such as setting up users, groups, permissions, and roles, configuring user attributes, adding your own certificates, and determining whether you want to use SSL.