Skip to content

How to add AD Authentication in vCenter 6.5/6.7

The vCenter Server has an internal user database that allows you to add and manage users with the vSphere Web Client. Users management and Single Sign-On is provided by the Platform Service Controller which is available since vSphere 6.0. In a large environment, you might want to connect your virtualization infrastructure to a centrally manage Active Directory.

This article explains how to add AD authentication in vSphere 6.5 and how to get the "Use Windows session authentication" checkbox to work with the enhanced authentication plugin. This works for both, the vCenter Server 6.5 installed on a Windows Server and the vCenter Server Appliance (vCSA).

  1. Open vSphere Web Client (https://[vcenter]/vsphere-client)
  2. Login as Single Sign-On Administrator (Password set during installation)
  3. Navigate to Administration > Single Sign-On > Configuration
  4. Open the Identity Sources tab
  5. Click the green + to add an identity source
  6. Select Identity Source Type:
    A) Active Directory (Integrated Windows Authentication)
    This option works with both, the Windows-based vCenter Server and the vCenter Server Appliance. The underlying system has to be a member of the Active Directory domain. (To join the vCSA to an AD, read this post.)

    B) Active Directory as a LDAP Server
    If the underlying system is not part of the Active Directory domain.
    Fill out the remaining fields as follows:Name: Label for identification
    Base DN for users: The Distinguished Name (DN) of the starting point for directory server searches. Example: If your domain name is virten.lab the DN for the entire directory is "DC=virten,DC=lab".
    Base DN for groups: The Distinguished Name (DN) of the starting point for directory server searches.
    Domain name: Your domain name. Example: "virten.lab"
    Domain alias: Your NetBIOS name. Example: "virten"
    Username: A user in the AD Domain with at least browse privileges. Example virten\vcentersso

    Select "Connect to any domain controller in the domain" of you want to use DNS to identify domain controllers or configure static primary and secondary URLs. When using static entries, you can either query the local directory (Port 389), or the global catalog (Port 3268).
    Example: "ldap://dc01.virten.lab:3268"

  7. Click Next and finish the configuration wizard
  8. Back at Identity Sources your AD should appear in the list and from now on you are able to assign vCenter permissions to users and groups from your active directory.
  9. Select you Active Directory and click the world with arrow button to make AD to your default domain.
  10. To login with AD users, you have to set permissions. To add a AD user as global Administrator navigate to Administration > Access Control > Global Permissions
  11. Click Add permission
  12. Click Add...vsphere60-web-client-add-permission-add
  13. Select the Active Directory domain under Domain, choose a user and press Add
  14. Press OK twice

You should now be able to login to the vCenter 6.5 with your Active Directory account.

Use Windows session authentication

The "Use Windows session authentication" checkbox is disabled unless the Enhanced Authentication Plugin is installed. You can find the download link at the bottom of the login screen.

The vCenter Single Sign-On server is not currently joined to any domain.

When the following message is displayed:

The vCenter Single Sign-On server is not currently joined to any domain. You cannot complete the current operation.

Join the underlying operating system to an Active Directory domain or use this guide to add the vCenter Server Appliance is an AD.

17 thoughts on “How to add AD Authentication in vCenter 6.5/6.7”

  1. Hi fgrehl

    great post as usual!
    Just a question about
    Active Directory (Integrated Windows Authentication) and Active Directory as a LDAP Server?

    What is the suggested method? What do you usually do in a production environment and why?

  2. Greetings, in vSphere 6.5, Global Permissions for Administrators who need to view VMware Licenses. Can you explain this in more detail, currently on the administrator@vsphere.local account can view the licenses. The above account is in the vCenter Administrators group, if you add a new account to this group you still cannot view the licenses. This configuration is NEW in vSphere 6.5.

  3. Hi,
    did someone try to use a ldaps Server already with a root-certification??
    Till 6.0U2a it was working, BUT vsphere 6.5 is not able to handle this, SR by VMware is open since End November 2016 );-(.

  4. Integrated would be used if the vCenter server has been joined to the domain. In a production environment, you may connect to many domains if you have customers from many different orginizations all with their systems installed so it would depend on your situation

  5. Does someone test the integrated or ldap mode with a trusted (two way - single forrest)domain? I want to use the login with Windows session credentials from Domain B, but it does not work.Login with username / Password works but not with the eap plugin. Any suggestions?

  6. Hi fgrehl ,perfect instructions, they work with AD 2008 R2 and Active Directory as an LDAP Server. In September we will have to migrate to Active Directory 2016. I read this, it seems that VCSA 6.5 and 6.7 are not compatible with AD 2016. I have 6.5. What this mean? The AD users can not login to the VCSA? Do you know anything about it?

    1. Hi Michele, we are running vSphere 6.5 U2 and AD 2016 without any problems. Didn´t even know that there is a KB for this ;)

    2. Faced with the same issue. Our AD Team is trying to upgrade now and is hammering me for answers in this. I can’t beleuve VMware is not in this already... they should have stayed out of the SSO business entirely their implementation sucks and has been nothing
      But headaches since 5.1... now they have to keep developing it.. I would rather see development of the thick client over PSC/SSO.. my 2 cents.

  7. Has anyone figured out how to add an integrated windows authentication identity source via script in 6.7? In 6.0 we used the script, but that no longer exists.

  8. Is this site aware? Does "connect to any domain controller in the domain" check only the local site? Or does it randomly pick any DC in the domain (even the ones in China when you are in the UK - see the problem?)

Leave a Reply to Nigel Cancel reply

Your email address will not be published. Required fields are marked *