6.7
Table Of Contents
- Platform Services Controller Administration
- Contents
- About Platform Services Controller Administration
- Getting Started with Platform Services Controller
- vCenter Server and Platform Services Controller Deployment Types
- Deployment Topologies with External Platform Services Controller Instances and High Availability
- Understanding vSphere Domains, Domain Names, and Sites
- Platform Services Controller Capabilities
- Managing Platform Services Controller Services
- Managing the Platform Services Controller Appliance
- vSphere Authentication with vCenter Single Sign-On
- Understanding vCenter Single Sign-On
- Configuring vCenter Single Sign-On Identity Sources
- Understanding vCenter Server Two-Factor Authentication
- Using vCenter Single Sign-On as the Identity Provider for Another Service Provider
- Security Token Service STS
- Managing vCenter Single Sign-On Policies
- Managing vCenter Single Sign-On Users and Groups
- Add vCenter Single Sign-On Users
- Disable and Enable vCenter Single Sign-On Users
- Delete a vCenter Single Sign-On User
- Edit a vCenter Single Sign-On User
- Add a vCenter Single Sign-On Group
- Add Members to a vCenter Single Sign-On Group
- Remove Members from a vCenter Single Sign-On Group
- Delete vCenter Single Sign-On Solution Users
- Change Your vCenter Single Sign-On Password
- vCenter Single Sign-On Security Best Practices
- vSphere Security Certificates
- Certificate Requirements for Different Solution Paths
- Certificate Management Overview
- Managing Certificates with the vSphere Client
- Managing Certificates from the vSphere Web Client
- Managing Certificates with the vSphere Certificate Manager Utility
- Certificate Manager Options and the Workflows in This Document
- Regenerate a New VMCA Root Certificate and Replace All Certificates
- Make VMCA an Intermediate Certificate Authority (Certificate Manager)
- Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA)
- Replace VMCA Root Certificate with Custom Signing Certificate and Replace All Certificates
- Replace Machine SSL Certificate with VMCA Certificate (Intermediate CA)
- Replace Solution User Certificates with VMCA Certificates (Intermediate CA)
- Replace All Certificates with Custom Certificate (Certificate Manager)
- Revert Last Performed Operation by Republishing Old Certificates
- Reset All Certificates
- Manual Certificate Replacement
- Managing Services and Certificates with CLI Commands
- Troubleshooting Platform Services Controller
- Determining the Cause of a Lookup Service Error
- Unable to Log In Using Active Directory Domain Authentication
- vCenter Server Login Fails Because the User Account Is Locked
- VMware Directory Service Replication Can Take a Long Time
- Export a Platform Services Controller Support Bundle
- Platform Services Controller Service Logs Reference
Option Description
Maximum Bearer Token Lifetime Bearer tokens provide authentication based only on possession of the token.
Bearer tokens are intended for short-term, single-operation use. A bearer token
does not verify the identity of the user or entity that is sending the request. This
value specifies the lifetime value of a bearer token before the token has to be
reissued.
Maximum Holder-of-Key Token
Lifetime
Holder-of-key tokens provide authentication based on security artifacts that are
embedded in the token. Holder-of-key tokens can be used for delegation. A client
can obtain a holder-of-key token and delegate that token to another entity. The
token contains the claims to identify the originator and the delegate. In the
vSphere environment, a vCenter Server system obtains delegated tokens on a
user's behalf and uses those tokens to perform operations.
This value determines the lifetime of a holder-of-key token before the token is
marked invalid.
6 Click OK.
Managing vCenter Single Sign-On Users and Groups
A vCenter Single Sign-On administrator user can manage users and groups in the vsphere.local domain
from the vSphere Web Client.
The vCenter Single Sign-On administrator user can perform the following tasks.
n
Add vCenter Single Sign-On Users
Users listed on the Users tab in the vSphere Client are internal to vCenter Single Sign-On and
belong to the vsphere.local domain. You add users to that domain from one of the vCenter Single
Sign-On management interfaces.
n
Disable and Enable vCenter Single Sign-On Users
When a vCenter Single Sign-On user account is disabled, the user cannot log in to the vCenter
Single Sign-On server until an administrator enables the account. You can disable and enable
accounts from one of the vCenter Single Sign-On management interfaces.
n
Delete a vCenter Single Sign-On User
You can delete users that are in the vsphere.local domain from a vCenter Single Sign-On
management interface. You cannot delete local operating system users or users in another domain
from a vCenter Single Sign-On management interface.
n
Edit a vCenter Single Sign-On User
You can change the password or other details of a vCenter Single Sign-On user from a vCenter
Single Sign-On management interface. You cannot rename users in the vsphere.local domain. That
means you cannot rename administrator@vsphere.local.
n
Add a vCenter Single Sign-On Group
The vCenter Single Sign-On Groups tab shows groups in the local domain, vsphere.local by default.
You add groups if you need a container for group members (principals).
Platform Services Controller Administration
VMware, Inc. 63