vSphere users are defined in an identity source. An identity source can be a directory service like Active Directory and Open LDAP; a database that is internal to the system where vCenter Single Sign On is installed; or operating system users that are local to the system where Single Sign On is installed. You can register more than one identity source with the vSphere Web Client.

A directory service such as Active Directory is set up and configured in your environment.

Ensure that you have vCenter Single Sign On administrator privileges.


Browse to Administration > Sign-On and Discovery > Configuration in the vSphere Web Client.


On the Identity Sources tab, click the Add Identity Source icon.


Select the type of identity source.



Active Directory (Integrated Windows Authentication)

The identity source is a Microsoft Active Directory server. Active Directory versions 2003 and later are supported. Set up your Active Directory domain, including Kerberos, following the instructions on the Microsoft Web site.

Active Directory as a LDAP Server

This option is supported for backward compatibility with the vCenter Single Sign-On service included with vSphere 5.1. Use a native Active Directory identity source instead.


The identity source is an OpenLDAP server. OpenLDAP versions 2.4 and later are supported.

Local Operating System

Users local to the operating system where the vCenter Single Sign-On service is installed (for example, Windows). Only one local operating system identity source is supported.


Enter the identity source settings.



Active Directory (Integrated Windows Authentication)

Use this option for native Active Directory implementations. See GUID-4D24C6E8-63F5-4E35-862E-B59A03703254#GUID-4D24C6E8-63F5-4E35-862E-B59A03703254.

Active Directory as an LDAP Server

This option is available for backward compatibility. It requires that you specify the domain controller and other information. See GUID-98B36135-CDC1-435C-8F27-5E0D0187FF7E#GUID-98B36135-CDC1-435C-8F27-5E0D0187FF7E.


Use this option for an OpenLDAP identity source. See GUID-98B36135-CDC1-435C-8F27-5E0D0187FF7E#GUID-98B36135-CDC1-435C-8F27-5E0D0187FF7E.


Use this option to add the local operating system as an identity source. You are prompted only for the name of the local operating system. If you select this option, all users on the specified machine are visible to vCenter Single Sign-On, even if those users are not part of another domain.


When you use the authentication type Password for an identity source, you must update the identity source details whenever the password changes for the configured user. You update the password on the Edit Identity Source dialog box.

If the user account is locked or disabled, authentications and group and user searches in the Active Directory domain will fail. The user account must have read-only access over the User and Group OU, and must be able to read user and group attributes. This is the default Active Directory domain configuration for user permissions. VMware recommends using a special service user.


Click Test Connection to ensure that you can connect to the identity source.


Click OK.