how to log-in to a fresh install of vCenter Server 5.5 using domain credentials (updated)

Updated: January 24, 2014.

I have read a few posts within the community lately [1][2] about an issue being encountered after a fresh install of vCenter 5.5. Basically, what happens is the only user that can log-in to the vCenter server is the SSO administrator (Administrator@vsphere.local). This may seem like unexpected behaviour, especially considering that even the account (perhaps an AD service account) that was used to perform the install is also unable to log-in and see the vCenter Server.

In contrast to the long title for this post, the solution that I would like to share is short and straight forward. I hope that this solution will save you from some post-install headaches.

In my lab, I will be testing against vCenter Server 5.5.0b (Build 1476387) running on Windows Server 2012, and configuring vSphere Single Sign-On to authenticate against a Windows Server 2012 AD controller.

Please note, this method will not likely work on earlier builds of vCenter Server due to an issue that was resolved in the 5.5.0b release. See the excerpt from VMware's release notes below:

“Active Directory is not added automatically as identity resource in vCenter Single Sign-On

When you initially install the vCenter Single Sign-On in a Windows system that is part of an Active Directory, the Active Directory is not automatically added as the default identity resource in the vCenter Single Sign-On server.

This issue is resolved in this release [3].” 

Steps to Log-in to a Fresh Install of vCenter Server 5.5 Using Domain Credentials

Here are a few key steps so as to be able to immediately log-in to vCenter Server using domain credentials. Note: I am not including every step required to install vCenter Server 5.5. I will be following the Custom Install method instead of using Simple Install.

1) Determine which AD (Active Directory) user or group should initially be granted administrative access to the vCenter Server.

• In my home lab, I created an AD group called vmadmins, and made myself a member of that group.
• In your environment, an AD user or group may already exist representing your VMware administrators.

2) Install vSphere Single Sign-On. During the installation of vCenter Single Sign-On, verify that SSO detects the domain (i.e. home.local, in my case) that you would like as the native identity source. 

Remember: vCenter Server can only authenticate against credentials that are recognized by vSphere Single Sign-On.

3) Finally, during the installation of vCenter Server, change the default administrator.

Take note of the ‘vCenter Single Sign On Information’ prompt, as shown below:

By default, the administrator@vsphere.local user is granted administrative access to the vCenter server, but this can be changed. In my lab, I will change this to vmadmins, and indicate that it is a group.

Note, if you enter the name incorrectly, or is not recognized by SSO, you will get the following error message:

The user or group that you are trying to assign vCenter Server administrative privileges to does not exist.

All done. Once vCenter Server has been installed, you should be able to log-in directly using the configured domain credentials.

In this way, we are able to log-in to a fresh install of vCenter Server 5.5 using domain credentials.

Keep on virtualizing!

References

[1] “How to log in to Single Sign ON SSO in vSphere 5.5.” [Online]. Available: http://www.vfrank.org/2013/09/23/how-to-log-in-to-single-sign-on-sso-in-vsphere-5-5/. [Accessed: 17-Jan–2014]. 

[2] “vSphere 5.5 vCenter server inventory 0 - frankdenneman.nl.” [Online]. Available: http://frankdenneman.nl/2014/01/16/vsphere-5-5-vcenter-server-0-inventory/. [Accessed: 17-Jan–2014]. 

[3] “vCenter Server 5.5.0b Release Notes.” [Online]. Available: https://www.vmware.com/support/vsphere5/doc/vsphere-vcenter-server-550b-release-notes.html#resolvedissuessso. [Accessed: 24-Jan-2014].