When a user logs in to a vSphere component, or when a vCenter Server solution user accesses another vCenter Server service, vCenter Single Sign-On performs authentication. Users must be authenticated with vCenter Single Sign-On and have the necessary privileges for interacting with vSphere objects.

vCenter Single Sign-On authenticates both solution users and other users.

  • Solution users represent a set of services in your vSphere environment. During installation, VMCA assigns a certificate to each solution user by default. The solution user uses that certificate to authenticate to vCenter Single Sign-On. vCenter Single Sign-On gives the solution user a SAML token, and the solution user can then interact with other services in the environment.
  • When other users log in to the environment, for example, from the vSphere Client, vCenter Single Sign-On prompts for a user name and password. If vCenter Single Sign-On finds a user with those credentials in the corresponding identity source, it assigns the user a SAML token. The user can now access other services in the environment without being prompted to authenticate again.

    Which objects the user can view, and what a user can do, is usually determined by vCenter Server permission settings. vCenter Server administrators assign those permissions from the Permissions interface in the vSphere Client, not through vCenter Single Sign-On. See the vSphere Security documentation.

vCenter Single Sign-On and vCenter Server Users

Users authenticate to vCenter Single Sign-On by entering their credentials on the login page. After connecting to vCenter Server, authenticated users can view all vCenter Server instances or other vSphere objects for which their role gives them privileges. No further authentication is required.

After installation, the administrator of the vCenter Single Sign-On domain, administrator@vsphere.local by default, has administrator access to both vCenter Single Sign-On and vCenter Server. That user can then add identity sources, set the default identity source, and manage users and groups in the vCenter Single Sign-On domain.

All users that can authenticate to vCenter Single Sign-On can reset their password. See Change Your vCenter Single Sign-On Password. Only vCenter Single Sign-On administrators can reset the password for users who no longer have their password.

vCenter Single Sign-On Administrator Users

The vCenter Single Sign-On administrative interface is accessible from the vSphere Client.

To configure vCenter Single Sign-On and manage vCenter Single Sign-On users and groups, the user administrator@vsphere.local or a user in the vCenter Single Sign-On Administrators group must log in to the vSphere Client. Upon authentication, that user can access the vCenter Single Sign-On administration interface from the vSphere Client and manage identity sources and default domains, specify password policies, and perform other administrative tasks.
Note: You cannot rename the vCenter Single Sign-On administrator user, which is administrator@vsphere.local by default or administrator@ mydomain if you specified a different domain during installation. For improved security, consider creating additional named users in the vCenter Single Sign-On domain and assigning them administrative privileges. You can then stop using the administrator account.

Other User Accounts in vCenter Server

The following user accounts are created automatically within vCenter Server in the vsphere.local domain (or the default domain that you created at installation). These user accounts are shell accounts. The vCenter Single Sign-On password policy does not apply to these accounts.

Table 1. Other vCenter Server User Accounts
Account Description
K/M For Kerberos key management.
krbtgt/VSPHERE.LOCAL For Integrated Windows Authentication compatibility.
waiter-random_string For Auto Deploy.

ESXi Users

Standalone ESXi hosts are not integrated with vCenter Single Sign-On. See vSphere Security for information on adding an ESXi host to Active Directory.

If you create local ESXi users for a managed ESXi host with the VMware Host Client, ESXCLI, or PowerCLI, vCenter Server is not aware of those users. Creating local users can therefore result in confusion, especially if you use the same user names. Users who can authenticate to vCenter Single Sign-On can view and manage ESXi hosts if they have the corresponding permissions on the ESXi host object.
Note: Manage permissions for ESXi hosts through vCenter Server if possible.

How to Log In to vCenter Server Components

You can log in by connecting to the vSphere Client.

When a user logs in to a vCenter Server system from the vSphere Client, the login behavior depends on whether the user is in the domain that is set as the default identity source.

  • Users who are in the default domain can log in with their user name and password.
  • Users who are in a domain that has been added to vCenter Single Sign-On as an identity source but is not the default domain can log in to vCenter Server but must specify the domain in one of the following ways.
    • Including a domain name prefix, for example, MYDOMAIN\user1
    • Including the domain, for example, user1@mydomain.com
  • Users who are in a domain that is not a vCenter Single Sign-On identity source cannot log in to vCenter Server. If the domain that you add to vCenter Single Sign-On is part of a domain hierarchy, Active Directory determines whether users of other domains in the hierarchy are authenticated or not.

If your environment includes an Active Directory hierarchy, see the VMware knowledge base article at https://kb.vmware.com/s/article/2064250 for details on supported and unsupported setups.