VCP6-DCV Delta Study – Section 1 – Objective 1.3

This post covers Section 1, Configure and Administer vSphere Security, Objective 1.3, Enable SSO and Active Directory Integration.

The vSphere Knowledge covered in this objective:

  • Configure/Manage Active Directory Authentication
  • Configure/Manage Platform Services Controller (PSC)
  • Configure/Manage VMware Certificate Authority (VMCA)
  • Enable/Disable Single Sign-On (SSO)
  • Identify available authentication methods with VMware vCenter

Objective 1.3 VMware Resources and Tools include:

– Configure/Manage Active Directory Authentication

Single Sign-On Identity Sources are configured using the Web Client -> Administration -> Single Sign-On -> Configuration -> Identity Sources


Active Directory (Integrated Windows Authentication) or Active Directory as an LDAP Server can be used to create AD Identity source.

Configuring Identity Sources can be found in the VMware vCenter Server™ 6.0 Deployment Guide on page 78 or in the vSphere Security Guide on page 29.

– Configure/Manage Platform Services Controller (PSC)

The Platform Services Controller (PSC) provides:

  • Single Sign-On (SSO)
  • Licensing
  • Certificate Authority (VMCA)

The PSC provides the following services vCenter Single Sign-On, VMware Certificate Authority, License Service, and Lookup Service.

Services Installed with VMware Platform Services Controller in the vSphere Installation and Setup Guide on page 12.

Deployment Methods

  • Embedded Platform Service Controller
    All services bundled with the Platform Services Controller are deployed on the same virtual machine or physical server as vCenter Server.
  • External Platform Service Controller
    The services bundled with the Platform Services Controller and vCenter Server are deployed on different virtual machines or physical servers.

You cannot switch the models after deployment, which means that after you deploy vCenter Server with an embedded Platform Services Controller, you cannot switch to vCenter Server with an external Platform Services Controller, and the reverse.

An external PSC can provide services to both vCenter on Windows and the vCenter Server Appliance (VCSA).

The default single sign-on domain is vsphere.local. This can be changed during the PSC installation.
The default single sign-on administrator user is administrator. The default administrator user cannot be changed during installation.

VMware vSphere Blog post vCenter Server 6 Deployment Topologies and High Availability.
VMware KB article on Recommended topologies for vSphere 6.0.x (2108548).

Enhanced Linked Mode connects multiple vCenter Server systems together by using one or more Platform Services Controllers. <- New in vSphere 6
Enhanced Linked Mode supports linking vCenter on Windows and vCenter Server Appliance (VCSA).
Enhanced Linked Mode allow you to view, search, and manage across all linked vCenter systems. Roles, permissions, licensing, policies, and tags are replicated between all linked vCenter systems.
Enhanced Linked Mode requires External PSC deployment.

– Configure/Manage VMware Certificate Authority (VMCA)

By default the VMware Certificate Authority (VMCA) provisions each ESXi host with a signed certificate that has VMCA as the root certificate authority.
Certificates for vCenter Server and the vCenter Server services are stored in the VMware Endpoint Certificate Store (VECS).
The VMCA root certificate expires after ten years by default. All certificates that VMCA signs expire when the root certificate expires.
When upgrading from earlier versions of vSphere the self-signed certificates are replaced with certificates signed by the VMCA.

ESXi Certificate Replacement Modes

  • VMware Certificate Authority mode – this is the default.
    VMCA issues certificates to hosts.
  • Custom Certificate Authority mode
    Manually update and use certificates not signed or issued by the VMCA.
  • Thumbprint mode
    Retain 5.5 certificates.

View ESXi SSL Thumbprint in the DCUI from the View Support Information menu.

Certificate replacement mode set using the vpxd.certmgmt.mode vCenter server advanced setting to vmca, custom, or thumbprint.
Understanding Certificate Mode Switches in the vSphere Security Guide on page 140.

Viewing Certificates in the Web Client -> Home -> System Configuration -> Nodes -> Node -> Manage -> Certificate Authority
In the Web Clinet you can view Active Certificates, Revoked Certificates, Expired Certificates, and Root Certificates.

– Enable/Disable Single Sign-On (SSO)

vCenter Single Sign-On is part of the Platform Services Controller (PSC).
Understanding vCenter Single Sign-On in the vSphere Security Guide on page 20.

vCenter Single Sign-On allows vSphere components and services to communicate with each other through a secure token mechanism.

Single Sign-On configuration using the Web Client -> Administration -> Single Sign-On -> Configuration -> Policies

  • Password Policy
  • Lockout Policy
  • Token Policy

– Identify available authentication methods with VMware vCenter

Single Sign-On Identity Sources are configured using the Web Client -> Administration -> Single Sign-On -> Configuration -> Identity Sources
SSO Identity Sources:

  • Active Directory Integrated
  • Active Directory LDAP
  • OpenLDAP
  • localos

vCenter Single Sign-On can authenticate users from its own internal users and groups, or it can connect to trusted external directory services such as Microsoft Active Directory.

More Section Objectives in the VCP6-DCV Delta Exam Study Guide Index

I hope you found this helpful. Feel free to add anything associated with this section using the comments below. Happy studying.

Leave a Reply

Your email address will not be published. Required fields are marked *

seven + 13 =