Should I use a different SSO domain than ‘vsphere.local’ in vCenter?

For a small environment (single host), does it make sense to use something different than the suggested ‘vsphere.local’ domain name for the default SSO domain? Otherwise I’d use something like ‘vsphere.customer-domain.com’ when Active Directory is already ‘ad.customer-domain.com’

View Reddit by alphanimalView Source

Related Articles


  1. I only bother changing it if it’s going to use something other than local auth, or it might get confused with another environment. (For example, at home, I don’t bother; at work, I manage multiple environments, so I change it.)

  2. Unless you already have vsphere.local SSO domain in this environment and want to set up another disjoint SSO domain, it does not make sense to change the default. Keeping default values avoids confusion and keeps things standard.

  3. I was replacing the current sso config with a new one so I moved from vsphere.local to vsphere.<company> so I could tell the difference between the two. I have had no real issues whatsoever apart from maybe accidentally typing administrator@vsphere.local before remembering that I used a new domain name, or having to update a script or two. As long as you communicate the change within your organization and remember it yourself, there’s no problem with changing that name. Honestly it feels a tiny bit more secure due to the sso name not being a default that every other org uses. Just remember when VMware Support asks you to use the vsphere.local account you use your vsphere.whatever. 😉

  4. I use vsphere.local because I don’t use SSO. I also virtualize both my domain controllers. I made it different than my local domain so if both domain controllers are down I can still log in.

  5. For your purpose, it does not make sense to change it. In environments where you are dealing with multiple vcenters, do yourself a favor and configure unique sso domain per environment.

  6. I have been using the default vsphere.local so long and so many locations that unless you really want to complicate your life don’t change it . You only need it for local auth so why bother.

  7. Having deployed tons of vCenters there is no reason at all to change the default vsphere.local. As you should be configuring dns and reverse dns for all your hosts vCenters and /or PSCs.

    Once the vcenter is all up than you simply configure identity source and add your domain controllers sot that you may log in with your domain credentials and never really use the vsphere.local.

    Also ensure to setup ntp correctly.

  8. We always use vsphere.local, it keeps it simple and consistent with VMware documentation. There’s literally no reason to change it that I can think of. When you AD integrate vCenter you don’t use the local SSO domain anyway aside for initial setup and a few select admin actions that require the use of the local SSO domains administrator account.

Leave a Reply

Your email address will not be published. Required fields are marked *