First, we will join the VCSA to the AD domain:

1. Open a web browser and go to the address of the VCSA.
2. Log in using [email protected] (or your SSO domain) and the correct password.
3. From the VCSA home screen, go to Administration, then System configuration under Deployment.
4. Click on Nodes and then on the name of your PSC. If you are running an embedded PSC, click on VCSA instead.
5. Now click on the Manage tab, then Active Directory under Advanced.
6. Click on the Join button.
7. Enter the domain name, username (without domain prefix), and password. Then click OK. The Organizational unit field is not required. Click on OK.
8. A screen will flash but nothing will appear to change. This is OK.
9. Right-click on the PSC (or VCSA) and select Reboot. Enter a reason, then click OK.
10. Wait for about 5 minutes for the system to reboot.

11. Log back in and go to the same location; the AD domain should now be filled in:

Now we will add an identity source so that the VCSA can authenticate against the AD domain:

1. From the VCSA home screen, go to Administration and then Configuration under Single Sign-On.
2. Go to the Identity Sources tab, then click on the + sign to add an identity source.
3. To connect to the AD, select the Active Directory (Integrated Windows Authentication) option. Click on Next.
4. The next screen should have the domain that you entered in the preceding step 7. You can use the machine account or choose to specify an account. Click on Next.
5. Review the summary, then click Finish.
6. Your domain name should appear as a new item in the Identity Sources screen.
7. To verify that everything is working, go back and click on Users and Groups under Single Sign-On. Then click on the Users tab and select your domain. After a few seconds, all the domain accounts should be listed:

Now that we have joined the AD domain and have added the domain as an identity source, we can follow the normal process to give users and groups permissions to vCenter:

1. From the VCSA home screen, go to Administration and then Global Permissions under Access Control.
2. Click on the Manage tab, then on the + icon.
3. In the Add Permission window, click on the Add button.
4. In the Select User/Groups window, select your domain from the drop-down menu.
5. Now you can search for users and groups and add them to the list at the bottom.
6. Click on OK to add these users and groups.

In this example, I have added my domain administrator's group as administrator-level users:

Now anyone that is a member of the Domain Admins group can log in to vSphere Web Client using their AD domain credentials:

Note that in order for users to log in to vSphere Web Client using their Windows session credentials, they will need to install Enhanced Authentication Plugin on their system.