Granting AD Accounts Administrative Access to vCenter SSO
I’m a proponent of vCenter Single Sign On (SSO) – it opens a lot of doors to new ways to authenticate users into the vSphere environment such as using multiple AD domains and OpenLDAP. One down side to the introduction of the service is the added complexity and resulting slew of KB articles around resolving SSO issues. While many of them are simply a matter of properly preparing your environment, I have noticed that by default the vCenter SSO permission groups only include local accounts, such as the admin@System-Domain user. This is often confusing for those first doing the upgrade (or migration) from a previous version of vCenter to version 5.1 or higher as you will not see the configuration details for SSO unless you log in as the local SSO admin account.
Here’s an example. In my Wahl Network lab environment, I’ve left the configuration set to the default values. When logging on as a user with full administrator permissions to vCenter, the “Sign-On and Discovery” section is blank. Since many KB and configuration guides ask you to come here to edit settings and perform troubleshooting, one may think that a greater issues exists when in reality it’s just a basic permissions requirement.
As a vCenter user with “Administrator” access, I cannot see the SSO configuration by default
Fortunately, the solution is rather straight forward.
Adding AD Accounts or Groups to SSO Admins
You’ll need access to the SSO local admin account, which is admin@System-Domain. I had to get used to memorizing the name of this account, as it was weird (for me) to not include a “.local” or something at the end of the string.
Log in to the vSphere Web Client using the admin@System-Domain account, then click on the Administration field in the left side navigation bar. From there, select the “SSO Users and Groups” option, then the Groups tab, as shown below.
By using the admin@System-Domain account, you can edit the SSO user and group permissions
For this example, I’ve decided to search and add my own AD account to the “__Administrators__” group. Select the group and click the button with the little man with a plus sign next to his face (see picture above). Once there, I changed the Identity source to my domain (glacier.local) and searched for my name. I then clicked my account and pressed the Add button.
I’m adding my AD account to the SSO Administrators group
AD Account With Full SSO Administrator Access
Now, when I log in using my Chris AD account, I can see all of the SSO configuration sections in the vSphere Web Client.