Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Understanding and troubleshooting vCenter Single Sign-On users, groups, and login qualifications (2033875)

Symptoms

  • Cannot add an external vCenter Single Sign On (SSO) source
  • Adding an external vCenter Single Sign On (SSO) source fails
  • You see the error:

    The user or group supplied for the default vCenter administrator does not exist
  • You cannot log in using a user account even when the account has the required permissions

Purpose

This article provides information that helps you understand the default users, groups, and how login user qualification works with vCenter SSO. It provides information to simplify troubleshooting and configuration of vCenter SSO.

Resolution

vCenter SSO is capable of presenting users from many different authentication sources. There may be situations when there are duplicate user names or groups, such as a local administrator versus a domain administrator, which can cause login failures because the correct qualification is not being used.

Understanding SSO Identity Sources and user qualifications

With vCenter Single Sign on, there are four different types of identity sources which can be used for authentication. Each one of them is qualified in a different way.
This tables lists the different types the corresponding details:
 
Type Qualification Description
vCenter SSO System-Domain The vCenter SSO provided Authentication mechanism. This is the default type used for vCenter SSO administration.
Active Directory Domain Name An external Active Directory domain, which is either automatically discovered or added after installation.
Open LDAP Domain Name An external Open LDAP, which is added after installation of vCenter SSO.
Local OS Computer Name The Local Operating system users. This is available only if vCenter SSO is installed in Basic mode.
 
When you log in to the vSphere Web Client, you can log in with the qualified username. For example, username@domain.com, which instructs the client to only look for the username in the domain specified. Therefore, you have an option to specify a default domain. The default domain is the domain that is being logged in to, if no qualification is provided for the user. For example, if you are to login with just username.
 
To change the default domain order:
  1. Log in to the vSphere Web Client as a vCenter SSO administrator.
  2. In the home page, navigate to Administration > Sign-On and Discovery > Configuration.
  3. Click the Identity Sources tab.
  4. Review the default domains and change the order of precedence.
  5. If you want to add one of the identity sources as a default domain, select the domain and then click Add to Default Domains.
Note: Having multiple domains in the Default Domain list might result in locked user accounts during authentication.

Default SSO Users and Groups

By default, vCenter SSO includes different users and groups that are used for administration of the vCenter SSO service.
 
This table lists the default users and groups:
 
User/Group Description
admin@system-domain The vCenter SSO administration account on a Windows installation. The password is set during the initial installation of the vCenter SSO Service.
root The vCenter SSO administration account on a Linux server.
__Regular_Users__ SSO Regular user role
__Administrators__ SSO Administrators
LSAdministrators Members of this group are the administrators of the Lookup Service
 

Troubleshooting User Qualifications

To troubleshoot issues related to user qualifications, you must determine if the login failure is due to a bad identity source username or password or if the authentication is not happening against the proper source.
To troubleshoot this issue:
  • If you are using a domain account, try appending the login name with @domain. For example administrator@domain.com. This allows you to test whether it is an issue with qualification.
  • Try logging in as a vCenter SSO administrator user, such as admin@system-domain. If you are able to login, it could be an issue connecting to the identity source.
  • Check to see if the username is locked out. If it is locked out, either unlock it or wait for fifteen minutes (by default) for it to be automatically unlocked.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 13 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 13 Ratings
Actions
KB: