Table of Contents
Advertisement
In vSphere 5.1.x and 5.5, when you install vCenter Server, you must provide the default (initial)
vCenter Server administrator user or group. For deployments where vCenter Server and vCenter Single
Sign-On are on the same host machine, you can designate the local operating system group Administrators
as vCenter Server administrative users. This option is the default. This behavior is unchanged from
vCenter Server 5.0.
For larger installations, where vCenter Single Sign-On and vCenter Server are deployed on different hosts,
you cannot preserve the same behavior as in vCenter Server 5.0. Instead, assign the vCenter Server
administrator role to a user or group from an identity source that is registered in the vCenter Single Sign-On
server: Active Directory, OpenLDAP, or the system identity source.
Authenticating to the vCenter Server Environment
In vCenter Server versions 5.1 and later, users authenticate through vCenter Single Sign-On.
In vCenter Server versions earlier than vCenter Server 5.1, when a user connects to vCenter Server, vCenter
Server authenticates the user by validating the user against an Active Directory domain or the list of local
operating system users.
The user administrator@vsphere.local has vCenter Single Sign-On administrator privileges by default. When
logged in to the vCenter Single Sign-On server from the vSphere Web Client, the
administrator@vsphere.local user can assign vCenter Single Sign-On administrator privileges to other users.
These users might be different from the users that administer vCenter Server.
Users can log in to vCenter Server with the vSphere Web Client. Users authenticate to vCenter Single Sign-
On. Users can view all the vCenter Server instances that the user has permissions on. After users connect to
vCenter Server, no further authentication is required. The actions users can perform on objects depend on
the user's vCenter Server permissions on those objects.
For more information about vCenter Single Sign-On, see vSphere Security.
How vCenter Single Sign-On Affects Log In Behavior
vCenter Single Sign-On log in behavior depends on the domain the user belongs to and the identity sources
that you have added to vCenter Single Sign-On.
When a user logs in to a vCenter Server system from the vSphere Web Client, the login behavior depends on
whether the user is in the default domain.
Users who are in the default domain can log in with their user name and password.
n
Users who are in a domain that has been added to vCenter Single Sign-On as an identity source but is
n
not the default domain can log in to vCenter Server but must specify the domain in one of the following
ways.
Including a domain name prefix, for example, MYDOMAIN\user1
n
Including the domain, for example, user1@mydomain.com
n
Users who are in a domain that is not a vCenter Single Sign-On identity source cannot log in to
n
vCenter Server. If the domain that you add to vCenter Single Sign-On is part of a domain hierarchy,
Active Directory determines whether users of other domains in the hierarchy are authenticated or not.
After installation on a Windows system, the user administrator@vsphere.local has administrator privileges
to both the vCenter Single Sign-On server and to the vCenter Server system.
After you deploy the vCenter Virtual Appliance, the user administrator@vsphere.local has administrator
privileges to both the vCenter Single Sign-On server and to the vCenter Server system. The user
root@localos has administrative privileges on the vCenter Single Sign-On server and can authenticate to the
vCenter Server system. Assign permissions to root@localos to allow that user access to the vCenter Server
system.
VMware, Inc.
Chapter 3 Before You Install vCenter Server
57
Hide quick links:
Advertisement
Table of Contents
