<div>
A couple of ways you can do this:-<br />
<br />
1. Create the trust relationship between domains.<br />
2. Add domainA.local also as an authentication source, in SSO, and then select which Default Resource will be expected domainA.local or domainb.local <br />
<br />
what this means, is what users need to type in the username box<br />
<br />
e.g. &nbsp;domainb.local\username or &nbsp;domainA.local\username<br />
<br />
to login to vCenter Server<br />
<br />
The reason why we do both, is you may not want users being able to use domain resources, e.g. Workstations, Printers etc if you setup a trust then those users, can login, and also user domain resources, if you just add the AD Authentication Source to SSO, they can only login to vCenter.
</div>


<div>
Andrew, I am having trouble with this. I have an identity source listed under SSO on Vcenter server as domainB.local. I can log in to Vcenter as anyuser@domainB.local but I need to be able to log in as anyuser@domainA.local as well. <br />
<br />
I do not believe I can add a second identity source to the vcenter server for a second domain, which is why I was thinking of configuring a domain trust relationship. However, I like the route of option 2, I just am not sure how to do so. Thank you,
</div>


<div>
If you cannot add it, then you will need to create the one way or two way trust, this is because of the current method you have employed called Active Directory (Integrated Windows Authentication, which allows only a single Active Directory as an identity source, so you would need to use a one way or two way trust for this method.<br />
<br />
(current config)<br />
<br />
or, <br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br />
Active Directory over LDAP. vCenter Single Sign-On supports multiple Active Directory over LDAP identity sources. (which needs re-config).<br />
<br />
see here<br />
<br />
<a href="https://pubs.vmware.com/vsphere-55/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-1F0106C9-0524-4583-9AC5-A748FD1DC4C5.html" rel="ugc nofollow">https://pubs.vmware.com/vsphere-55/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-1F0106C9-0524-4583-9AC5-A748FD1DC4C5.html</a><br />
<br />
Please note a one way or two way trust is easier to configure, be careful you do not break your config,and ability to login!
</div>


<div>
Can you provide a bit more guidance on this? I have configured the one way trust since you say it would be easier. I can now authenticate to domainb.local windows server with user@domaina.local but I still cannot authenticate to vcenter server with user@domainA.local.
</div>


<div>
can you check if user@domainA.local can login to your domain at a PC.<br />
<br />
also remember, you will need to type domainA.local\username or whatever the shortname is for that domain.
</div>


<div>
Andrew, Yes. I can log in to a computer on domainB with a user from domainA.<br />
For example, I can RDP to Computer1.domainB.local with the credentials of domainA\username. So, the trust is working, but Vcenter is not allowing domainA\username to connect to it.
</div>


<div>
Also of note, vcenter server is joined to domainB, and any user from domainB can log in to vcenter with domainB\username credentials.
</div>


<div>
okay, if you log into the Web Client, using the Administrator@vsphere.loca<wbr />l account, and select Administration, Single Sign On.<br />
<br />
there is a Domain drop down option, you should see both domains in that list, if you don't the Trust is not correct, or replicated through to SSO.<br />
<br />
Check the Identity Source.<br />
<br />
Also remember, this could be all in place, but you have not Granted Access in vCenter Server to your Accounts that need access to vCenter Server resources.<br />
<br />
e.g. they need to have permissions to access vCenter and Objects!<br />
<br />
by default, your default domain domainB, Administrators group is added by default, so you may ave to add users from domainA.
</div>


<div>
Hi Andrew, I may have made some progress...<br />
<br />
I log in as administrator@vsphere.loca<wbr />l and navigate to Administration -&gt; Single Sign On -&gt; Users and Groups, from the dropdown I see vsphere.local, localos, and domainB.local. <br />
<br />
When I select domainB.local from the dropdown I see a list of users that reside in AD in DomainB.local. <br />
<br />
I do not see anything in regards to domainA.local.<br />
<br />
If I navigate to SSO -&gt; Configuration -&gt; Identity Sources, I see domain of vsphere.loca, localos, and domainB.local - I previously configured Identity source type 'Active Directory (integrated windows authentication), with the domain name of domainb.local, and the option of 'Use Machine Account'.<br />
<br />
I CAN log in to the web client using the credentials in the format of domainA\username AND using username@domainA.local, however neither of these work on the thick vsphere client. <br />
<br />
Although I can authenticate, when I login I get an error popup immediately; &quot;Client is not authenticated to VMware Inventory Service - <a href="http://localhost:10080/invsvc" rel="ugc">http://localhost:10080/invsvc</a>&quot;&nbsp;and when I browse to inventory it is empty, there are no hosts or VMs.<br />
<br />
In further troubleshooting, if I log in with any user@domainB.local, I also authenticate and do not get the popup error, but I also have an empty inventory. The only user I can log in and view inventory populated is with the administrator@vsphere.loca<wbr />l.
</div>


<div>
Furthermore, I did go in to Administration -&gt; Global Permissions -&gt; + -&gt; and added the group of domainB.local\domain users with administrator rights, and now when I log in with any user@domainB.local I now see inventory. <br />
<br />
Still same issue logging in from user@domainA.local.
</div>


<div>
Also I did find this VMware kb article: <br />
<a href="http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2064250#external" rel="ugc nofollow">http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2064250#external</a><br />
So it looks like domain trusts can work in Vcenter SSO, I just cannot make sense of where to configure it within Vcenter.
</div>


<div>
using the older vSphere Client, can we try a test?
</div>


<div>
When trying to log in via the older vsphere client no credentials from domainA.local work at all.
</div>


<div>
Andrew, I also found this article from a google search:<br />
<a href="http://www.cloud-buddy.com/?p=1769" rel="ugc">http://www.cloud-buddy.com/?p=1769</a><br />
It looks like the author is adding the identity source as and LDAP server, is this a possibility? Would I need to add the LDS role to the DC in DomainA.local?
</div>


<div>
That's what I mentioned in my second post...Active Directory via LDAP, but you would have do undo, your current config...<br />
<br />
Using your current working Admin, login to vSphere Client. (not web client)<br />
<br />
Click the very top of the tree, e.g. the actual name of the vCenter Server. (e.g. root of tree)<br />
<br />
Click Permissons Tab<br />
<br />
Right Click Add Permission<br />
<br />
Click Add user, now check if you can Add users from <br />
<br />
domainb<br />
domaina
</div>


<div>
Andrew, if I follow your steps, within the vsphere client, I still only see the domain of vsphere.local and domainb, I do not have the option of domaina
</div>


<div>
Also, If I need to undo the current config to get this working with LDAP instead that would not really be a big problem. I was looking in to LDAP though and it looks like I would need to configure a CA as well in both domains which I am not fond of so I have been looking for another way to do this without needing a CA.
</div>


<div>
Also not sure if I mentioned but both DCs in both domains are 2012 R2. Will they accept LDAP queries as is without adding the LDS role?
</div>


<div>
Ok, very strange. Domain trusts are so simple I don't know how it could be not working. I have deleted and re-created two way trust as well. I can log in to DomainA with domainB credentials, and I can log in to DomainB with DomainA credentials. <br />
<br />
Is there something else I have to do within vcenter to get it to see the other domain? Is it possible because I have created the domain trusts after vcenter was joined to the domain?
</div>


<div>
<blockquote>
Is there something else I have to do within vcenter to get it to see the other domain? Is it possible because I have created the domain trusts after vcenter was joined to the domain?
</blockquote>
<br />
that should not make any difference, but vCenter Server (SSO) is not observing the trust.
</div>


<div>
Andrew, I was looking at this article:<br />
<a href="http://wahlnetwork.com/2013/09/09/using-active-directory-integrated-windows-authentication-sso-5-5/" rel="ugc">http://wahlnetwork.com/2013/09/09/using-active-directory-integrated-windows-authentication-sso-5-5/</a><br />
which looks like the author was able to add multiple domains without using LDAP?
</div>


<div>
I apologize for the links, but this one looks like the author is using 'Active Directory as an LDAP server&quot;<br />
<a href="http://www.virten.net/2015/02/how-to-add-ad-authentication-in-vcenter-6-0-platform-service-controller/" rel="ugc">http://www.virten.net/2015/02/how-to-add-ad-authentication-in-vcenter-6-0-platform-service-controller/</a><br />
Is it possible to use this in addition to the Active Driectory method? <br />
Regardless, it looks like I will still need to configure LDAP on the DC in Domain A correct?
</div>


<div>
well if he did, it's not supported, because LDAP is the only method to add two!<br />
<br />
I'm not sure I see two different domains in the link.<br />
<br />
anyway not supported.
</div>


<div>
Yes, you will need to configure LDS on both domains!
</div>


<div>
Hi Andrew, I may have made some progress. <br />
I removed vcenter from domain b, rebooted, joined vcenter to domainb, rebooted. Then added the domainb.local as an identity source with computer account. Now when I go to Administration -&gt; users and groups I now have domaina AND domainb in the dropdown. <br />
If I go to global administration -&gt; global permissions -&gt; + -&gt; Add I do have domainb in the dropdown, and the users populate. I also have domaina.local in the dropdown now, but when I click it the users do not populate and in the bottom lefthand corner of web GUI I get the error &quot;cannot load the users for the selected domain&quot;<br />
Progress?
</div>


<div>
if you have both domains available, then vCenter is querying the domains, and the trust.<br />
<br />
this user you are logged in with does have permissions to read both domains ?
</div>


<div>
I'm not sure how to provide permission to a user on domainB to &quot;read domains&quot; on domainA. Is that in AD or in Vcenter?
</div>


<div>
AD.<br />
<br />
Can you check in your an admin in Domain A, and use the Active Directory and User/Group snap-in, you can manage users, and vice versa.
</div>


<div>
Trying to understand what you mean, so in AD for DomainA, I should be able to to open the Domain Admins group and add a user from DomainB?
</div>


<div>
If a two way trust has been established correctly.<br />
<br />
1. You should be able to login as a Doman Admin user from Domain A, and manage ALL Objects in Domain B.<br />
<br />
2. You should be able to login as a Doman Admin user from Domain B, and manage ALL Objects in Domain B.<br />
<br />
This is standard Active Directory management.<br />
<br />
have you worked with Trusted Relatonships between domains before ?
</div>


<div>
Hi Andrew, I have worked with trusts, yes. I am having trouble understanding what you are trying to say though, when you say permission to read domains, it is not clear to me.<br />
<br />
As it stands now, there is a two way trust between domainA and domainB. <br />
I can log in to domainB computer with any domainA\username credentials and vice versa. <br />
I have delegated control in AD on DomainA to administrator@domainB.loca<wbr />l to allow all common tasks, including 'Read all user information&quot;. <br />
I have also delegated control in DomainA for VcenterserverAdomainB.loca<wbr />l computer account to &quot;Read all user information&quot;<br />
To my knowledge, the administrator@domainB.loca<wbr />l and the computer account of vcenter@domainb.local should have rights to read users on DomainA. I am wondering if I am missing anything? <br />
If I log in to vcenter on domainB with username administrator@domainB.loca<wbr />l, and navigate to global permissions, add user, the users still do not populate for domainA. <br />
<br />
I had asked if you were suggesting adding a user from DomainB to a group such as domain admins or even domain users on Domain A, in order to have permissions to read user information but I was unclear on this. Sorry for the confusion.
</div>


<div>
okay, I'm just trying to establish to Domain Admin Users from Domain A and Domain B that you are using can administer both domains?<br />
<br />
nothing to do with vCenter Server, using Active Directory Users and Computers ?<br />
<br />
yes or no ?<br />
<br />
This is a confirmation that the trust is working ?<br />
<br />
Using that some user logged into vCenter Server should also work.<br />
<br />
from what you are saying it suggests, that this is working how it should but not in vCenter Server.
</div>


<div>
Ok understood. Yes, I can log in to my DC on DomainB with Administrator@domainB.loca<wbr />l, open ADUC MMC, change domain to domainA.local, and yes I can view all OUs, users, groups, I can create, modify, and delete users.
</div>


<div>
so - you cannot login as other domain users, or retrieve user lists ?
</div>


<div>
Andrew, I simply added the LDS role to DC on domainA, and then was able to add DomainA as an LDAP Identity Source. I can now authenticate to Vcenter on domainB using credentials from DomainA.
</div>


<div>
<div class="content wysiwyg-content">
Hello Experts,<br />
<br />
I have a production domain of domainA.local.<br />
<br />
I have a VMware environment with Vcenter server and several hosts. the Vcenter environment is isolated from domainA.local, in that it uses a DC in domainB.local for DNS. <br />
<br />
I would like users from domainA.local to be able to authenticate and log in to vcenter server on domainB.local so we can track what users are making changes. Currently, all users from domainA.local log in to vcenter server with administrator@vsphere.loca<wbr />l. <br />
<br />
How do I go about this? I'm thinking a one way trust from domainA to domainB, and then allow authentication for users on domainB to vcenter server, even though vcenter server is joined to domainB.<br />
<br />
Thanks in advance,
</div>
</div>


Hello Experts,

I have a production domain of domainA.local.

I have a VMware environment with Vcenter server and several hosts. the Vcenter environment is isolated from domainA.local, in that it uses a DC in domainB.local for DNS. 

I would like users from domainA.local to be able to authenticate and log in to vcenter server on domainB.local so we can track what users are making changes. Currently, all users from domainA.local log in to vcenter server with administrator@vsphere.local. 

How do I go about this? I'm thinking a one way trust from domainA to domainB, and then allow authentication for users on domainB to vcenter server, even though vcenter server is joined to domainB.

Thanks in advance,

Cross domain VMware authentication

VMware, a software company founded in 1998,  was one of the first commercially successful companies to offer x86 virtualization. The storage company EMC purchased VMware in 1994. Dell Technologies acquired EMC in 2016. VMware’s parent company is now Dell Technologies.

VMware has many software products that run on desktops, Microsoft Windows, Linux, and macOS, which allows the virtualizing of the x86 architecture.  Its enterprise software hypervisor for servers, VMware vSphere Hypervisor (ESXi), is a bare-metal hypervisor that runs directly on the server hardware and does not require an additional underlying operating system.

VMware

The Microsoft Server topic includes all of the legacy versions of the operating system, including the Windows NT 3.1, NT 3.5, NT 4.0 and Windows 2000 and Windows Home Server versions.