After installing my new vCenter Server in my office every time I was using Administrator@vsphere.local account to login into vCenter server Including my colleagues. (After Installing vCenter server there is default vsphere.local SSO directory service created in PSC (Platform Service Controller), vCenter Single Sign-On (SSO) is an authentication broker and act as a security token exchange. Currently users in vsphere.local domain user Administrator has complete global rights and privileges). I wanted to add my Microsoft Active Directory Users and Groups on Vcenter so I can assign permissions accordingly to monitor and audit vcenter tasks and events. Before starting adding my domain in PSC (Platform Service Controller ) vCenter SSO (Single Sing On), I have configured few users and group in Microsoft AD before hand, My AD domain name is vcloud-lab.com. I have created one group named vCenterAdmins and all my vCenter administrators users are member of this group as shown in below screenshot.
SSO administration and configuration can be done through vSphere web client, It is not available in old vsphere desktop client version, Link for vSphere web client is https://vcenter FQDN or IP/vsphere-client. Administrator@vsphere.local password is the same one while installation of vcenter server. Complete step by step installation can be found on this link PART 2 : VCENTER SERVER 6.0 INSTALLATION ON WINDOWS 2012 R2.
On the Left side expand Single Sign-On >> Configuration >> Identity Sources >> click Green + button. Here are other SSO configuration can also be done like SSO user password policies, certificate and etc.
In the Add identity source popup box, choose Active Directory as an LDAP Server, Make sure you correctly filling up all the information.
Name: Active directory domain name
Base DN for users: This is location OU or container where Users reside.
Domain Name: Active directory domain name
Domain alias: Active directory netbios name
Base DN for users: This is location OU or container where Group reside.
Primary Server URL: ldap://vcloud-lab.com:389 (if this secure connection use ldaps://vcloud-lab.com:686 (Change vcloud-lab.com with your domain name))
Secondary Server URL: for redudancy purpose add other domain controller ldap url.
Here if you are unsure about DN (distinguised name) You can find it in active directory, Open Active Directory users and computers (DSA.MSC).Here once I right click on the OU where my USERS and Groups reside, (in my case both are in same vcloud-users OU), right click for properties, go to Attribute Editor tab, find distinguishedname, select it and click view, copy the string (4th point) and use in above Add identity source screenshot. (If Attribute Editor tab is not visible go to view menu bare in the top and click advanced options)
I am making newly added domain default. Click on the domain, click on the default button as below screenshot, There is warning message, This will alter your current default domain. Do you want to proceed? Press yes to proceed. (By doing this I don't require to specify domain while log in)
Next is assigning permissions on the vcenter objects. Click on the Home button to explore inventory, choose Hosts and Clusters, select vcenter server in the left navigator pane.
Once vcenter is selected (In my case I am providing access on complete vcenter, It is also possible to provide access on virtual datacenter, esxi host or virtual machines, Networks or datastore for isolated access provisioning). Select Manage tab, then click Permissions button, there is green + plus icon, click it, Next screen is populated for Roles (There are several default roles comes with vcenter ie read only, Administrator), I am intending to provide Administrator access to users and groups, which will be propagated to all the object below once Propagate to children button pressed. Click Add button to add users or group whom Administrators roles need to assign. In the Domain drop down box select newly added active directory domain. As in the first screenshot in this article, for time of ahead I have already created one Group vCenterAdmins, and all my vcenter administrator users are member of this group. I will search required group and add it, clicking ok twice will apply permission.
Added group should looks like below.