The vCenter Server can be integrated with an external identity source, so you do not need to configure individual user accounts or groups on the vCenter Server level, but instead use a centralized database.

There are three possible integrations, as follows:

• • Active Directory through Integrated Authentication
  • Active Directory through LDAP
  • LDAP server

As you can see, you can use either Active Directory as a central user and groups database or any LDAP-enabled identity source. In most environments, you will find that Active Directory through the Integrated Authentication mode is used more than the traditional LDAP approach since the configuration is much simpler. If you want to configure the Integrated Authentication mode, you must join the PSC instance or the vCSA to the AD domain. This allows the AD users to log in to vCenter Server using the Windows session authentication Security Support Provider Interface (SSPI).

The procedure to join vCenter Server to an AD domain depends on how the vCSA and the PSC have been deployed:

• If you deployed the vCSA with an embedded PSC, you need to join the vCSA to the AD domain
• If you deployed the vCSA with an external PSC, you need to join the PSC to the AD domain

To join a vCSA with an embedded PSC to the AD, follow these steps:

1. Select Administration, Single Sign-On, and Configuration.
2. Click on the Active Directory tab and click Join AD.
3. Enter the domain to join in the Domain field and, optionally, the organizational unit. Specify the AD username in the UPN format ([email protected]) with the privileges to join the PSC and the password. Click OK to confirm.
4. When the process completes, the joined domain is listed in the Domain field, and a new Leave button is displayed.
5. You need to reboot the node to enable the changes. Since this option is not available from the vSphere Client, switch to the VAMI management of the vCSA and, from Actions, click Reboot.
6. When the node has been rebooted, navigate to Configuration | Identity Sources to add the AD domain. Click to open the ADD IDENTITY SOURCE wizard, as demonstrated in the following screenshot:

7. Select the Active Directory (Integrated Windows Authentication) option and enter the joined FQDN domain name if it's not displayed automatically.
8. Select the Use machine account option to use the local machine account as Service Principal Name (SPN). If you expect to rename the machine, don't use this option, because it will break the authentication process. Click OK to confirm the specified AD domain as the new identity source.
9. In the Identity Sources tab, the joined AD domain is now displayed. You can assign permissions to users or group members of the AD domain.

You can select the added AD domain and click on the Set as Default Domain icon to make the new identity source the default domain.

Once the integration is done, you can assign the permissions for Active Directory Users or Groups. All you need to do is select the Active Directory domain instead of the default single sign-on domain.