I am installing Single Sign on Server on a separate Virtual Machine from vCenter Server. Active directory is in the environment already. Single Sign on gives you the option to use a local administrator account or to use an Active Directory account as the "administrator role" for single sign on. I need to determine what the pros and cons are of using an account in Active Directory versus using a local administrator account from the Windows host on which Single Sign on Server resides.
For example, I'm thinking thoughts like: "Do I want to create a dependency on Active Directory in this scenario". Because if for some reason AD is unavailable, then this account can't authenticate to Single Sign on. Alternatively, I do not want to have local authentication taking place all over the environment, and have non-centralized management of accounts that have to be tracked all over the place.
The VMware docs talk about the issue but don't really describe the implications. If you already use Active Directory for most of your authentication, are most people using it here as well? If so, what specific properties should this account have in active directory? Should this particular account have permissions elsewhere in the vSphere environment so as to limit the number of system/administrator accounts that are being used by the different VMware management pieces?
Here is the Installation documentation I'm referring to on page 227:
"For larger installations, where vCenter Single Sign-On and vCenter Server are deployed on different hosts, you cannot preserve the same behavior as in vCenter Server 5.0. Instead, assign the vCenter Server administrator role to a user or group from an identity source that is registered in the vCenter Single Sign-On server: Active Directory, OpenLDAP, or the system identity source." Any thoughts, experiences, input? Thanks.