Set up vCenter identity sources to use Active Directory

VMware vCenter supports different identity sources for authentication of users who access vCenter. Your private cloud vCenter can be set up to authenticate with Active Directory to let your VMware administrators access vCenter. When the setup is complete, the CloudOwner user can add users from the identity source to vCenter.

You can set up your Active Directory domain and domain controllers in any of the following ways:

  • Active Directory domain and domain controllers running on-premises
  • New Active Directory domain and domain controllers running in your private cloud

Before adding an identity source, temporarily elevate your vCenter privileges.

Identity source options

Add on-premises Active Directory as a single sign-on identity source

To set up your on-premises Active Directory as a single sign-on (SSO) identity source, you need:

  • A site-to-site VPN connection from your on-premises data center to your private cloud.
  • An on-premises DNS server IP added to your vCenter and Platform Services Controller (PSC).

The following table lists the information you need when setting up your on-premises Active Directory domain as an SSO identity source on vCenter.

Option Description
Name The name of the identity source.
Base DN for users The base distinguished name for users.
Domain name The FDQN of the domain, for example, example.com. Don't provide an IP address in this field.
Domain alias The domain NetBIOS name. If you are using SSPI authentication, add the NetBIOS name of the Active Directory domain as an alias of the identity source.
Base DN for groups The base distinguished name for groups.
Primary Server URL

The primary domain controller LDAP server for the domain.

Use the format ldap://hostname:port or ldaps://hostname:port. The port is typically 389 for LDAP connections and 636 for LDAPS connections. For Active Directory multi-domain controller deployments, the port is typically 3268 for LDAP and 3269 for LDAPS.

A certificate that establishes trust for the LDAPS endpoint of the Active Directory server is required when you use ldaps:// in the primary or secondary LDAP URL.

Secondary server URL The address of a secondary domain controller LDAP server that is used for failover.
Choose certificate To use LDAPS with your Active Directory LDAP server or OpenLDAP server identity source, click the Choose certificate button that appears after you type ldaps:// in the URL text box. A secondary server URL isn't required.
Username The ID of a user in the domain who has a minimum of read-only access to the base DN for users and groups.
Password The password of the user who is specified by Username.

For more information about SSO identity sources, see the VMware documentation.

Set up a new Active Directory on a private cloud

You can set up a new Active Directory domain on your private cloud and use it as an identity source for SSO. The Active Directory domain can be a part of an existing Active Directory forest, or it can be set up as an independent forest.

New Active Directory forest and domain

To set up a new Active Directory forest and domain, you need:

  • One or more VMs running Microsoft Windows Server to use as domain controllers for the new Active Directory forest and domain.
  • One or more VMs running DNS service for name resolution.

For detailed steps, see Install a New Windows Server 2012 Active Directory Forest.

For high availability of services, Google recommends that you set up multiple domain controllers and DNS servers.

After setting up the Active Directory forest and domain, you can add an identity source on vCenter for your new Active Directory.

New Active Directory domain in an existing Active Directory forest

To set up a new Active Directory domain in an existing Active Directory forest you need:

  • A site-to-site VPN connection to your Active Directory forest location.
  • A DNS server to resolve the name of your existing Active Directory forest.

For more information, see Installing a New Windows Server 2012 Active Directory Child or Tree Domain.

After setting up the Active Directory domain, you can add an identity source on vCenter for your new Active Directory.

Add an identity source on vCenter

  1. Elevate privileges on your private cloud.
  2. Sign in to the vCenter for your private cloud.
  3. Select Home > Administration.
  4. Select Single Sign On > Configuration.
  5. Open the Identity Sources tab and click +Add to add a new identity source.
  6. Select Active Directory as an LDAP Server, and click Next.
  7. Specify the identity source parameters for your environment, and click Next.
  8. Review the settings, and click Finish.

What's next