Objective 1.3: Enable SSO and Active Directory Integration

Configure/Manage Active Directory Authentication

Configuration of the VMware Single Sign-On service can only be completed via the vSphere Web Client.

  1. From within the vSphere Web Client Home screen, click Administration in the left hand navigation menu
  2. In the left hand pane under Single Sign-On select Configuration
  3. In the right hand pane select the Identity Sources tab
  4. Click the Green Plus Sign to add a new identity source
  5. Select the Identity Source Type and complete the remaining fields.

Configure/Manage Platform Services Controller (PSC)

The Platform Services Controller (PSC) is new to vSphere 6, though most of the components should be familiar from vSphere 5.x. The PSC is comprised of the following services:

–Single Sign-On™ –
VMware License Server –
Lookup Service –
Certificate Authority–
Certificate Store –
VMware Directory Services

Deploying vCenter Server with PSC is supported in one of two deployment methods and with varying topologies:

  • vCenter Server with an embedded PSC – All services bundled with the Platform Services Controller are deployed on the same virtual machine or physical server.
  • vCenter Server with an external PSC – The services bundled with the PSC and vCenter Server are deployed on different virtual machines or physical servers. You first must deploy the PSC on one virtual machine or physical server and then deploy vCenter Server on another virtual machine or physical server.

You cannot switch the models after deployment, you will have to do a complete reinstall.

Configure/Manage VMware Certificate Authority (VMCA)

When installing vSphere for the first time, the default certificates are deployed with 10 years of life span. The VMCA generates those self-signed certs during the installation process, and provisions each of the ESXi host with a signed certificate by this root certificate authority. Earlier versions of vSphere with self-signed certificates are automatically replaced by new self-signed certificates by VMCA.

There are three certificate modes supported in vSphere 6.x:

  • VMCA –  By default, the VMware Certificate Authority is used as the CA for ESXi host certificates. VMCA is the root CA by default, but it can be set up as the intermediary CA to another CA. In this mode, users can manage certificates from the vSphere Web Client. Also used if VMCA is a subordinate certificate.
  • Custom Certificate Authority – Some customers might prefer to manage their own external certificate authority. In this mode, customers are responsible for managing the certificates and cannot manage them from the vSphere Web Client.
  • Thumbprint Mode –  vSphere 5.5 used thumbprint mode, and this mode is still available as a fallback option for vSphere 6.0. Do not use this mode unless you encounter problems with one of the other two modes that you cannot resolve. Some vCenter 6.0 and later services might not work correctly in thumbprint mode.

If you want to the change the Certificate Mode from the default VMCA mode to either Custom orThumbprint complete the following:

  • Go to the  Hosts and Clusters view in the Web Client
  • In the left hand pane select the vCenter Server
  • In the right hand pane select the Manage tab select Settings ->Advanced Settings and click Edit
  • In the Filter box type in certmgmt to display only certificate management keys
  • Scroll down until you get to the setting vpxd.certmgmt.mode, here you change the value to either custom or thumbprint (the default setting is vmca)
  • Click OK after changing the key value
  • Restart the vCenter Server Service for the changes to be applied

Enable/Disable Single Sign-On (SSO) Users

The VMware SSO uses different configuration policy which can be found via vSphere Web client only:

Administration -> Single Sign-On -> Configuration Policies

  • Password Policy
  • Lockout Policy
  • Token Policy

You can configure the following password policy parameters:

  • Description – Password policy description
  • Maximum lifetime – Maximum number of days that a password can exist before it has to be changed
  • Restrict re-use – Number of the user’s previous passwords that cannot be set again
  • Maximum length – Maximum number of characters that are allowed in the password
  • Minimum length – Minimum number of characters required in the password
  • Character requirements – Minimum number of different character types required in the password
  • Identical adjacent characters – Maximum number of identical adjacent characters allowed in the

To add a SSO User with the following steps:

  • Log into the vSphere Web Client with administrative privileges
  • From the Home screen, select Administration
  • Expand Single Sign-On and select Users and Groups
  • Select the Users tab, click the Green Plus Sign to add a new user
  • Provide the User Name and Password
  • Provide First name, Last name, email address, and Description
  • Click OK to complete

To disable a SSO user account:

  • Select the user you wish to Disable from the list
  • Log into the vSphere Web Client with administrative privileges
  • From the Home screen, select Administration
  • Expand Single Sign-On and select Users and Groups
  • Select the Users tab, click the Disable User icon to disable the account

Identify available authentication methods with VMware vCenter

Single Sign-On Identity Sources are configured using the Web Client -> Administration -> Single Sign-On -> Configuration -> Identity Sources

SSO Identity Sources:

  • Active Directory Integrated
  • Active Directory LDAP
  • OpenLDAP
  • local OS

vCenter Single Sign-On can authenticate users from its own internal users and groups, or it can connect to trusted external directory services such as Microsoft Active Directory.


Comments are closed.

%d bloggers like this: