vCenter Server uses vCenter Single Sign On to authenticate users.

In product versions earlier than vCenter Server 5.1, when users connect to vCenter Server, they were authenticated when vCenter Server validated their credentials against an Active Directory domain or the list of local operating system users. In vCenter Server 5.1, users authenticate through vCenter Single Sign On.

The default Single Sign-On administrator is admin@System-Domain with the password you specified at installation. You use these credentials to log in to the Single Sign-On administration tool in the vSphere Web Client. You can then assign Single Sign-On administrator privileges to users who are allowed to manage the Single Sign-On server. These users might be different from the users that administer vCenter Server.


On the vCenter Server Appliance, local operating system administrators (for example, root) also have vCenter Single Sign-On administrator privileges.

The following information is important for you to manage users and groups.

Logging in to the vSphere Web Client with Windows session credentials is supported only for Active Directory users of the domain to which the Single Sign On system belongs.

ESXi 5.1 is not integrated with vCenter Single Sign-On, and you cannot create ESXi users with the vSphere Web Client. You must create and manage ESXi users with the vSphere Client. vCenter Server is not aware of users that are local to ESXi. In addition, ESXi is not aware of vCenter Server users. However, you can configure Single Sign-On to use an Active Directory domain as an identity source, and configure ESXi to point to the same Active Directory domain to obtain user and group information. This action allows the same set of users to be available to the host and to vCenter Server.

If more than one user known to vCenter Single Sign-On has the same user name, Single Sign-On authenticates the user against the default domains in the order specified on the Identity Sources tab in the Single Sign-On administration tool. For example, a user named VMadmin exists in the domain System-Domain, the identity source internal to Single Sign-On. A second user, also named VMadmin, exists in the domain localos, the identity source local to the operating system (for example, Linux). By default, Single Sign-On validates the user against the local operating system. The user VMadmin is authenticated and logs in as VMadmin@localos. If VMadmin@localos has not been granted Single Sign-On administrator privileges, the user cannot access the Single Sign-On administration tool or perform Single Sign-On administrative tasks.

To prevent unintentionally logging in as a user from another domain, specify the domain when you log in to the vSphere Web Client. For example, log in as admin@System-Domain rather than as admin.