A while ago I wrote an article about using LDAPS to connect vCenter to Active Directory. In that article, I mentioned a second (secure) option to connect to AD: by using ADFS. In this article, I will give you the steps to change your vCenter Identity Provider from Embedded to ADFS.

The first step is to install and configure ADFS. I did this on my Domain Controller so I didn’t need an extra VM. After installing the bits you need to run the ADFS configuration wizard to configure the ADFS service. You need the following prerequisites:
– DNS A record for your ADFS FQDN (I used adfs.lab.local)
– SSL Certificate for that FQDN

To create the certificate I used OpenSSL and Microsoft Certificate Services. The first step is to generate a private key and a certificate request.

openssl genrsa -out private.key 2048
openssl req -new -key private.key -out certificate_request.csr

After receiving the certificate you have to combine it with the private key in order to import both to the machine certificate store on the Domain Controller.

openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.crt -certfile CACert.crt

After you configured ADFS you have to add an ADFS Server Application. There is a VMware KB article with detailed steps available.

Now your ADFS server is ready so you can try to change the Identity Provider. I used the VMware documentation that can be found here.

When you now open the vSphere Client the login page is slightly different…

You can type your user name and based on the domain you are redirected to the ADFS login screen.

Retype your user name and enter your password. When you click on Sign in you are logged in to the vSphere Client. You can still use local accounts by using the vsphere.local domain.