The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
Understanding and troubleshooting vCenter Single Sign-On users, groups, and login qualifications (2033875)
- Cannot add an external vCenter Single Sign On (SSO) source
- Adding an external vCenter Single Sign On (SSO) source fails
- You see the error:
The user or group supplied for the default vCenter administrator does not exist
- You cannot log in using a user account even when the account has the required permissions
vCenter SSO is capable of presenting users from many different authentication sources. There may be situations when there are duplicate user names or groups, such as a local administrator versus a domain administrator, which can cause login failures because the correct qualification is not being used.
Understanding SSO Identity Sources and user qualifications
With vCenter Single Sign on, there are four different types of identity sources which can be used for authentication. Each one of them is qualified in a different way.
This tables lists the different types the corresponding details:
|vCenter SSO||System-Domain||The vCenter SSO provided Authentication mechanism. This is the default type used for vCenter SSO administration.|
|Active Directory||Domain Name||An external Active Directory domain, which is either automatically discovered or added after installation.|
|Open LDAP||Domain Name||An external Open LDAP, which is added after installation of vCenter SSO.|
|Local OS||Computer Name||The Local Operating system users. This is available only if vCenter SSO is installed in Basic mode.|
When you log in to the vSphere Web Client, you can log in with the qualified username. For example, email@example.com, which instructs the client to only look for the username in the domain specified. Therefore, you have an option to specify a default domain. The default domain is the domain that is being logged in to, if no qualification is provided for the user. For example, if you are to login with just username.
To change the default domain order:
- Log in to the vSphere Web Client as a vCenter SSO administrator.
- In the home page, navigate to Administration > Sign-On and Discovery > Configuration.
- Click the Identity Sources tab.
- Review the default domains and change the order of precedence.
- If you want to add one of the identity sources as a default domain, select the domain and then click Add to Default Domains.
Note: Having multiple domains in the Default Domain list might result in locked user accounts during authentication.
Default SSO Users and Groups
By default, vCenter SSO includes different users and groups that are used for administration of the vCenter SSO service.
This table lists the default users and groups:
|admin@system-domain||The vCenter SSO administration account on a Windows installation. The password is set during the initial installation of the vCenter SSO Service.|
|root||The vCenter SSO administration account on a Linux server.|
|__Regular_Users__||SSO Regular user role|
|LSAdministrators||Members of this group are the administrators of the Lookup Service|
Troubleshooting User Qualifications
To troubleshoot issues related to user qualifications, you must determine if the login failure is due to a bad identity source username or password or if the authentication is not happening against the proper source.
To troubleshoot this issue:
If you are using a domain account, try appending the login name with @domain. For example firstname.lastname@example.org. This allows you to test whether it is an issue with qualification.
Try logging in as a vCenter SSO administrator user, such as admin@system-domain. If you are able to login, it could be an issue connecting to the identity source.
Check to see if the username is locked out. If it is locked out, either unlock it or wait for fifteen minutes (by default) for it to be automatically unlocked.
Request a Product Feature
To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.