Understanding and troubleshooting vCenter Single Sign-On users, groups, and login qualifications
Article ID: 309410
Updated On:
Products
VMware vCenter Server
Issue/Introduction
This article provides information that helps to understand the default users, groups, and how login user qualification works with vCenter SSO. It provides information to simplify troubleshooting and configuration of vCenter SSO.
Symptoms:
- Cannot add an external vCenter Single Sign On (SSO) source
- Adding an external vCenter Single Sign On (SSO) source fails
- The following error is presented:
The user or group supplied for the default vCenter administrator does not exist - log inn using a user account fails, even when the account has the required permissions
Environment
VMware vCenter Server
Resolution
vCenter SSO is capable of presenting users from many different authentication sources. There may be situations when there are duplicate user names or groups, such as a local administrator versus a domain administrator, which can cause login failures because the correct qualification is not being used.
Understanding SSO Identity Sources and user qualifications
With vCenter Single Sign on, there are four different types of identity sources which can be used for authentication. Each one of them is qualified in a different way.
This tables lists the different types the corresponding details:
| Type | Qualification | Description |
| vCenter SSO | vsphere.local | The vCenter SSO provided Authentication mechanism. This is the default type used for vCenter SSO administration. |
| Active Directory | Domain Name | An external Active Directory domain, which is either automatically discovered or added after installation. |
| Open LDAP | Domain Name | An external Open LDAP, which is added after installation of vCenter SSO. |
| Local OS | Computer Name | The Local Operating system users. This is available only if vCenter SSO is installed in Basic mode. |
When logging into the vSphere Web Client, use a log in with the qualified username. For example, [email protected], which instructs the client to only look for the username in the domain specified. Therefore, a default domain can be specified. The default domain is the domain that is being logged in to, if no qualification is provided for the user. For example, login with just username.
To change the default domain order:
- Log in to the vSphere Web Client as a vCenter SSO administrator.
- In the home page, navigate to Administration > Sign-On and Discovery > Configuration.
- Click the Identity Sources tab.
- Review the default domains and change the order of precedence.
- To add one of the identity sources as a default domain, select the domain and then click Add to Default Domains.
Note: Having multiple domains in the Default Domain list might result in locked user accounts during authentication.
Default SSO Users and Groups
By default, vCenter SSO includes different users and groups that are used for administration of the vCenter SSO service.
This table lists the default users and groups:
| User/Group | Description |
| [email protected] | The vCenter SSO administration account on a Windows installation. The password is set during the initial installation of the vCenter SSO Service. |
| root | The vCenter SSO administration account on a Linux server. |
| __Regular_Users__ | SSO Regular user role |
| __Administrators__ | SSO Administrators |
| LSAdministrators | Members of this group are the administrators of the Lookup Service |
Troubleshooting User Qualifications
To troubleshoot issues related to user qualifications, determine if the login failure is due to a bad identity source username or password or if the authentication is not happening against the proper source.
To troubleshoot this issue:
-
If using a domain account, try appending the login name with @domain. For example [email protected]. This allows testing whether it is an issue with qualification.
-
Try logging in as a vCenter SSO administrator user, such as [email protected]. If the login is successful, it could be an issue connecting to the identity source.
-
Check to see if the username is locked out. If it is locked out, either unlock it or wait for fifteen minutes (by default) for it to be automatically unlocked.
Feedback
Yes
No
Powered by
