vCenter and SSO
-
I think I have an understanding but wanted clarification. When you install & setup vCenter server for the first time, in Stage 2 there's a step for "SSO Configuration". Under "Create a new SSO domain" where it asks for the "Single Sign-On domain name", by default you can put vsphere.local or anything you want. If your planning to join vCenter to an AD domain would you fill in your AD domain name here or add that as an identify source later on once vCenter is up and running. I'm a little confused whether to think of vCenter's SSO as its own separate identity or if I join to a existing domain for my users and groups.
Thanks in advance for any suggestions.
-
My apologies as to the tardiness to answer you. This is uncharacteristic of our team but we do have posts that slip past us before we realized and this is one of those.
This is more probably dealing with the security policy where you are than it is something that will substantively improve or degrade your performance. If you choose to join the vCenter server to the domain. That will work, remember that your computer will be a member that computer if domain policies can apply to it, it will. Also for SSO, this allows domain users that have the proper permissions to access the server too. You may want to choose which configuration options to consider here: https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-75D4E587-3F9B-4B50-96DA-D6DB6D1781D7.html. **it also has this telling paragraph.
To configure vCenter Single Sign-On, you must have vCenter Single Sign-On administrator privileges. Having vCenter Single Sign-On administrator privileges is different from having the Administrator role on vCenter Server or ESXi. In a new installation, only the vCenter Single Sign-On administrator (administrator@vsphere.local by default) can authenticate to vCenter Single Sign-On.
