vSphere users are defined in an identity source. An identity source can be a directory service like Active Directory and Open LDAP; a database that is internal to the system where vCenter Single Sign On is installed; or operating system users that are local to the system where Single Sign On is installed. You can register more than one identity source with the vSphere Web Client.

A directory service such as Active Directory is set up and configured in your environment.

Ensure that you have vCenter Single Sign On administrator privileges.


Browse to Administration > Sign-On and Discovery > Configuration in the vSphere Web Client.


On the Identity Sources tab, click the Add Identity Source icon.


Select the type of identity source.




The identity source is an OpenLDAP server. OpenLDAP versions 2.4 and later are supported.

Active Directory

The identity source is a Microsoft Active Directory server. Active Directory versions 2003 and later are supported.

Local Operating System

Users local to the operating system where Single Sign On is installed (for example, Windows). There can be only one local operating system identity source.


Enter the identity source settings.




The name of the identity source

Primary server URL

For Open LDAP and Active Directory, use the format ldap://hostname:port or ldaps://hostname:port

A certificate that establishes trust for the LDAPS endpoint of the Active Directory server is required when you use ldaps:// in the primary or secondary LDAP URL.

For OpenLDAP and Active Directory, the port is typically 389 for ldap: connections and 636 for ldaps: connections.

For Active Directory multi-domain controller deployments, the port is typically 3268 for ldap: connections and 3269 for ldaps: connections.

Secondary server URL

(Optional) Address of a secondary LDAP server used for failover.

Base DN for users

The base Distinguished Name for users.

Domain name

The domain's DNS name.

Domain alias

(Optional) The domain's NetBIOS name.

Base DN for groups

The base Distinguished Name for groups.

Authentication type

Anonymous: The identity source server uses no authentication.

Password: The identity source server uses a combination of user name and password for authentication.

Reuse Session: The Single Sign On server reuses the process session credentials to authenticate against the external server.

This type of authentication is supported only if the identity source is an Active Directory server and the Single Sign On server runs as a user that has been authenticated against the same Windows domain to which the Active Directory server belongs.

User name

The ID of an Active Directory user with a minimum of read-only access to Base DN for users and groups.


The password of the Active Directory user with a minimum of read-only access to Base DN for users and groups.


When you use the authentication type Password for an identity source, you must update the identity source details whenever the password changes for the configured user. You update the password on the Edit Identity Source dialog box.

If the user account is locked or disabled, authentications and group and group and user searches in the Active Directory domain will fail. The user account must have read-only access over the User and Group OU, and must be able to read user and group attributes. This is the default Active Directory domain configuration for user permissions. VMware recommends using a special service user to ensure that the password does not expire and lock out or disable the user account.


Click Test Connection to ensure that you can connect to the identity source.


Click OK.