vCenter Server users and groups are authenticated by the vCenter Single Sign On server.

In product versions earlier than vCenter Server 5.1, when users connect to vCenter Server, they were authenticated when vCenter Server validated their credentials against an Active Directory domain or the list of local operating system users. In vCenter Server 5.1, users authenticate through vCenter Single Sign On.

The default Single Sign-On administrator is admin@System-Domain with the password you specified at installation. You use these credentials to log in to the Single Sign-On administration tool in the vSphere Web Client. You can then assign Single Sign-On administrator privileges to users who are allowed to manage the Single Sign-On server. These users might be different from the users that administer vCenter Server.


On the vCenter Server Appliance, local operating system administrators (for example, root) also have vCenter Single Sign-On administrator privileges.

The following information is important for you to manage users and groups.

Logging in to the vSphere Web Client with Windows session credentials is supported only for Active Directory users of the domain to which the Single Sign On system belongs.

ESXi 5.1 is not integrated with vCenter Single Sign-On, and you cannot create ESXi users with the vSphere Web Client. You must create and manage ESXi users with the vSphere Client. vCenter Server is not aware of users that are local to ESXi. In addition, ESXi is not aware of vCenter Server users. However, you can configure Single Sign-On to use an Active Directory domain as an identity source, and configure ESXi to point to the same Active Directory domain to obtain user and group information. This action allows the same set of users to be available to the host and to vCenter Server.