I am installing Single Sign on Server on a separate Virtual Machine from vCenter Server. Active directory is in the environment already. Single Sign on gives you the option to use a local administrator account or to use an Active Directory account as the "administrator role" for single sign on. I need to determine what the pros and cons are of using an account in Active Directory versus using a local administrator account.
For example Do I want to create a dependency on Active Directory in this scenario?. If for some reason AD is unavailable, then this account can't authenticate to Single Sign on.
Alternatively, I do not want to have local authentication taking place all over the environment. We want to centralize management of accounts where appropriate.
The VMware docs talk about the issue but don't really describe the implications. If you already use Active Directory for most of your authentication, are most people using it here as well? Should this particular account double to be used on other components of the vSphere management pieces? For example, a standard "vSphere administrator role account" to use in multiple management pieces? (vCOPs, VCO, Chargeback, vShield, DynamicOps, VCD)
Here is the Installation documentation I'm referring to on page 227:
"For larger installations, where vCenter Single Sign-On and vCenter Server are deployed on different hosts, you cannot preserve the same behavior as in vCenter Server 5.0. Instead, assign the vCenter Server administrator role to a user or group from an identity source that is registered in the vCenter Single Sign-On server: Active Directory, OpenLDAP, or the system identity source." Any thoughts, experiences, input? Thanks.