Hello,

This thread was moved the Security & Compliance forum.

SSO sets up a single admin@vsphere.local or whatever you wish to call it account. This is a crucial account as that is how the location services talks to vCenter. In addition, you can add specific users directly into SSO to have roles within vSphere that are independent of AD. For sites that do not use AD this is a good approach. For those that use AD, you can use SSO specific users to work around failed AD credentials.

Know what is in each user repository: localhost, SSO, and AD and how they can access your environments.

As said previously do not delete that user....

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

Thanks Texiwill / abhilashhb for excellent explanation,

In our environment we are using AD. request u to let me know how to add specific users directly into SSO to have roles within vSphere that are independent of AD.

regards

Mr VMware

Login into web client using Admin@system-domain user . Go to Administration>Single Sign-on>Users Tab>From drop down select SYSTEM-DOMAIN as Domain. Click on the + button and add new user.

Please find the attached screen shot for the same.

Thanks Abhi

Last query in web client what IP I have to enter (VC Server IP or SSO server IP) and also let me know the port number if any...

regards

Mr VMware

You URL for web client will be   https://<vcenter-server-ip>:9443/vsphere-client/

if we are not able to login with AD credentials then with the help of this account system-domain\admin we can login on webclient and manage our infra as we were managing the same with VC.

in other words can say it's a backup admin account to centralized managed all esxi host as we were managing the same with VC, request u to correct me if I am wrong.

Hello,

I use SSO to create quite a few 'service' accounts used by VMware products, such as VDP, VIN, vCOPS, VLI, VSM, etc. If you create SSO accounts you can then track logins from each device into vCenter without requiring AD. I also do this with third party tools, but some third party tools will not work with out AD. This gives me 3 authentication stores within vCenter.

   * Local Accounts

   * SSO

   * AD

All managed from within the vCenter Web Client. I grant specific Roles within vCenter for each service account. This is inline with VMware's Hardening Guide. If they do not use AD, then there is no dependency on AD. if the SSO server also runs ON the vCenter server there is no external dependency. If it runs external, then you have to have at least one local account that will work in an emergency.

The SSO admin@system-domain is a full admin account, as such it should not be used except to update SSO or in an emergency situation. Most likely its password should be in a vault somewhere.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast