Deploying vCenter Single Sign-On as a cluster means that two or more instances of vCenter Single Sign-On are installed in high availability mode. vCenter Single Sign-On high availability mode is not the same as vSphere HA. All instances of vCenter Single Sign-On use the same database and point to the same identity sources. Single Sign-On administrator users see the primary Single Sign-On instance when they connect to vCenter Server through the vSphere Web Client.

In this deployment scenario, the installation process grants admin@System-Domain vCenter Server privileges by default. In addition, the installation process creates the user admin@System-Domain to manage vCenter Single Sign-On.

Note

When you install vCenter Server components with separate installers, you can choose which account or group can log in to vCenter Server upon installation. Specify this account or group on the Single Sign-On Information page of the installer, in the following text box: vCenter Server administrator recognized by vCenter Single Sign-On. For example, to grant a group of domain administrators permission to log in to vCenter Server, type of name of the domain administrators group, such as Domain Admins@VCADSSO.LOCAL.

In high availablity and multisite Single Sign-On modes, there is no local operating system identity source. Therefore, it will not work if you enter Administrators or Administrator in the text box vCenter Server administrator recognized by vCenter Single Sign-On. Administrators is treated as the local operating system group Administrators, and Administrator is treated me as local operating system user Administrator.

When you log in as a domain account user or local account user to install vCenter Single Sign-On in cluster mode, on a separate system from the Inventory Service and vCenter Server, the following behavior occurs upon installation.

By default, the user admin@System-Domain can log in to the vSphere Web Client and vCenter Server.

If you are logged in as a domain account user, the default Active Directory identity sources are discovered. If you are logged in as a local account user, Active Directory identity sources are not discovered.