When manually adding an Identity Source in vCenter Single Sign-On (SSO), many domains will require using the authentication type of Password. This requires a valid administrator account in the directory.
In situations where the use of an administrator account is not allowed for security or policy reasons, you may use a service account instead. If a service account is used, the service account must have sufficient permissions to read the properties and attributes of any user which you intend to have login capabilities in vSphere. If the service account cannot read these attributes, the logins fail. The solution is to increase the permissions on this service account so that it is able to read all user attributes.
The appropriate permissions for SSO can be provided by using one of these options:
- A domain administrator account
- A service account with full read-only permissions on the entire user/group sub-tree that is to have access to vSphere
- A service account with these specific read permissions on the entire user/group sub-tree that is to have access to vSphere:
tokenGroups
memberOf
cn
name
givenName
sn
initials
comment
distinguishedName
samAccountName
samAccountType
userPrincipalName
userAccountControl
accountExpires
description
lockoutTime
objectGUID
objectSID
userCertificate
For information on account permissions in Active Directory, see the Microsoft TechNet article,
Active Directory Users, Computers, and Groups.
Note: The preceding link was correct as of March 14, 2014. If you find the link is broken, provide feedback and a VMware employee will update the link.