vCenter Domain Authentication KB ID 0001854
Problem
Note: This procedure uses vCenter 8.0 Update 2, (the process is the same for vSphere 7).
When you setup your VCSA you will have configured SSO, in most cases accepting the default SSO domain of vsphere.local. But If you want to log into VMware you probably want your identify source to be AD (to use you existing usernames and passwords).
Note: In this example I will grant administrative access to the domain admins group, in production you probably will want to create some new AD groups and look at the principles of least privilege.
Solution: vCenter Domain Authentication
Once logged into vCenter, changing views is done by clicking the ‘three lines’ at the top left of the screen, navigate to Administration > Single Sign On > Configuration > Identity Provider > Active Directory Domain > Join AD.
Supply the domain name and some credentials that have the rights to join a machine to the domain > Join.
Nothing Happens! Don’t worry that’s normal, nothing will change (and you can’t’ progress) until you’ve rebooted the VCSA.
While its rebooting you can check in you AD and you will see the computer object has been created for the VCSA.
Have some patience, once the VCSA has rebooted and all the services are back online you will see the display has changed to show the domain information, you can now proceed.
Identity Source > Add.
Change the drop down to Active Directory over LDAP.
Enter the details to join the domain, the account you use to ‘bind’ to active directory can be a simple ‘domain user’. Fill in the fields and select ‘Add’.
Now select the domain you just added and ‘set as default > confirm by pressing ‘OK’.
Users and Groups > Groups > Select Administrators > Edit.
Change the domain to your AD domain > Search for Domain Admins > Add that group.
You can now authenticate into the VCSA with an account thata is a member of that AD group.