📅 May 2026  |  🏷️ VCF 9 Home Lab Series  |  ✍️ Farrukh Hanif  |  LinkedIn

VCF 9 Home Lab | Embedded vIDM (viDB) — AD Integration, Users, Groups & NSX SSO

In this post I walk through the full configuration of embedded VMware Identity Manager (viDB) in VMware Cloud Foundation 9, integrating Active Directory over LDAP, creating VCF-specific users and groups via PowerShell, assigning roles across SDDC Manager and NSX, and troubleshooting the NSX SSO registration — including a real-world API authentication issue specific to VCF 9's microservices architecture.

---

Lab Environment

Component	Detail
Platform	VMware Cloud Foundation 9
SDDC Manager	edi-vcf01.edi.vcflab.local (10.11.10.14)
vCenter	edi-m01-vc01.edi.vcflab.local
Domain Controller	Windows Server 2022 — vcflab.local (10.11.10.4)
AD Domain	vcflab.local
Switching	Arista DCS-7050TX-64-R (ASN 65000)

---

Overview — What is Embedded vIDM (viDB)?

In VCF 9, VMware Identity Manager is embedded directly into the SDDC Manager appliance as a lightweight identity broker — referred to as viDB (vIDM Database). Unlike the full standalone Workspace ONE Access deployment, viDB is purpose-built for VCF's internal SSO and role-based access control needs.

Once configured, viDB acts as the identity federation layer across SDDC Manager, NSX Manager, and vCenter — meaning a single Active Directory login grants appropriately scoped access to all three components based on group membership.

The configuration is done via Operations Fleet Management in the SDDC Manager UI, not the old standalone vIDM interface.

---

Step 1 — Configure vCenter Identity Source (AD over LDAP)

Before configuring viDB, vCenter needs to know about the Active Directory domain so that SSO can resolve AD users and groups.

Navigate to: vCenter → Administration → Single Sign On → Configuration → Identity Sources → Add

Select Active Directory over LDAP and fill in the following:

Field	Value
Identity Source Type	Active Directory over LDAP
Identity source name	vcflab.local
Base DN for users	CN=Users,DC=vcflab,DC=local
Base DN for groups	CN=Users,DC=vcflab,DC=local
Domain name	vcflab.local
Domain alias	vcflab
Username	administrator@vcflab.local
Primary server URL	ldap://10.11.10.4:389
Secondary server URL	(leave blank)

Note: Use plain ldap:// on port 389 for lab use. For LDAPS (port 636) you would need to upload the ADCS CA certificate in the Certificates field. Keep it simple for the initial deployment.

Click Add. No errors should be returned if the DC is reachable on VLAN 1110 and port 389 is not blocked.

---

Step 2 — Create AD Users and Groups via PowerShell

Before configuring viDB, the required OUs, groups, and service accounts need to exist in Active Directory. Run the following on your Windows Server 2022 domain controller:

# Create OUs
New-ADOrganizationalUnit -Name "VCF-Users"  -Path "DC=vcflab,DC=local"
New-ADOrganizationalUnit -Name "VCF-Groups" -Path "DC=vcflab,DC=local"

# Create AD Groups
New-ADGroup -Name "vcf-admins"     -GroupScope Global -Path "OU=VCF-Groups,DC=vcflab,DC=local" -Description "VCF SDDC Manager Admins"
New-ADGroup -Name "vcf-operators"  -GroupScope Global -Path "OU=VCF-Groups,DC=vcflab,DC=local" -Description "VCF SDDC Manager Operators"
New-ADGroup -Name "vcf-viewers"    -GroupScope Global -Path "OU=VCF-Groups,DC=vcflab,DC=local" -Description "VCF SDDC Manager Viewers"
New-ADGroup -Name "vcf-nsx-admins" -GroupScope Global -Path "OU=VCF-Groups,DC=vcflab,DC=local" -Description "NSX Admin Group"

# Set password
$password = ConvertTo-SecureString "VMware1!" -AsPlainText -Force

# Create Users
New-ADUser -Name "vcf-admin"       -SamAccountName "vcf-admin"       -UserPrincipalName "vcf-admin@vcflab.local"       -Path "OU=VCF-Users,DC=vcflab,DC=local" -AccountPassword $password -Enabled $true
New-ADUser -Name "vcf-operator"    -SamAccountName "vcf-operator"    -UserPrincipalName "vcf-operator@vcflab.local"    -Path "OU=VCF-Users,DC=vcflab,DC=local" -AccountPassword $password -Enabled $true
New-ADUser -Name "vcf-viewer"      -SamAccountName "vcf-viewer"      -UserPrincipalName "vcf-viewer@vcflab.local"      -Path "OU=VCF-Users,DC=vcflab,DC=local" -AccountPassword $password -Enabled $true
New-ADUser -Name "vcf-svc-nsxmgr"  -SamAccountName "vcf-svc-nsxmgr"  -UserPrincipalName "vcf-svc-nsxmgr@vcflab.local"  -Path "OU=VCF-Users,DC=vcflab,DC=local" -AccountPassword $password -Enabled $true
New-ADUser -Name "vcf-svc-sddc"    -SamAccountName "vcf-svc-sddc"    -UserPrincipalName "vcf-svc-sddc@vcflab.local"    -Path "OU=VCF-Users,DC=vcflab,DC=local" -AccountPassword $password -Enabled $true

# Assign group memberships
Add-ADGroupMember -Identity "vcf-admins"     -Members "Administrator","vcf-admin","vcf-svc-sddc"
Add-ADGroupMember -Identity "vcf-operators"  -Members "vcf-operator","vcf-svc-nsxmgr"
Add-ADGroupMember -Identity "vcf-viewers"    -Members "vcf-viewer"
Add-ADGroupMember -Identity "vcf-nsx-admins" -Members "vcf-admin","vcf-svc-nsxmgr"

User	Group	Purpose
vcf-admin	vcf-admins, vcf-nsx-admins	SDDC + NSX admin
vcf-operator	vcf-operators	SDDC operator
vcf-viewer	vcf-viewers	Read-only access
vcf-svc-nsxmgr	vcf-operators, vcf-nsx-admins	NSX service account
vcf-svc-sddc	vcf-admins	SDDC service account
administrator	vcf-admins	Domain admin + VCF admin

---

Step 3 — Configure Embedded vIDM Directory (viDB)

Navigate to: SDDC Manager → Operations Fleet Management → Identity and Access Management → Embedded vIDM

Directory Configuration

Field	Value
Directory display name	vcflab.local
DNS Server Location	Disabled
Global Catalog	Unchecked
Primary domain controller	10.11.10.4
Secondary domain controller	(leave blank)
Directory search attribute	sAMAccountName
Base DN	DC=vcflab,DC=local
Bind user name	CN=vcf-svc-sddc,OU=VCF-Users,DC=vcflab,DC=local
Bind user password	VMware1!

Important: The bind username must be in full Distinguished Name (DN) format. UPN format (vcf-svc-sddc@vcflab.local) will fail silently. Use the full CN=... DN as shown above.

Click Test Connection before saving. A successful test confirms the bind account can reach port 389 on the DC.

Attribute Mapping

vIDM Attribute	AD Attribute
Username	sAMAccountName
First name	givenName
Last name	sn
Email	mail
Distinguished name	distinguishedName

Group and User Provisioning

The embedded viDB only allows a single group and user search base per directory — unlike the full Workspace ONE Access deployment. The solution is to point both at the parent OU so all groups and users are captured in one sync:

Field	Value
Group DN	OU=VCF-Groups,DC=vcflab,DC=local
User DN	OU=VCF-Users,DC=vcflab,DC=local
Sync nested group members	Enabled

After saving, trigger a manual sync. You should see 4 groups and 6 users imported successfully.

---

Step 4 — Assign Roles in SDDC Manager

Navigate to: SDDC Manager → Administration → Users and Groups

AD Group	SDDC Manager Role
vcf-admins	ADMIN
vcf-operators	OPERATOR
vcf-viewers	VIEWER

---

Step 5 — Assign Roles in NSX Manager

Navigate to: NSX Manager → System → User Management → Role Assignments → Add

AD Group	NSX Role
vcf-nsx-admins	Enterprise Admin
vcf-operators	Network Engineer

---

Step 6 — NSX SSO Registration (API Method)

After completing viDB configuration, NSX Manager reported "VCF SSO not set". The SDDC Manager GUI option to register NSX with vIDM was not present in this VCF 9 build, so the API method was required.

Troubleshooting: Finding the Correct API Credentials

VCF 9 has moved to a fully microservices-based architecture. The SDDC Manager API is fronted by nginx which routes to internal services on ports 7100–7900. The token endpoint is /v1/tokens routed to port 7100 (commonsvcs).

Error encountered: All token requests returned IDENTITY_UNAUTHORIZED_ENTITY when using admin, vcf, and administrator@vsphere.local — because VCF 9 uses admin@local as the local domain format, not admin or vsphere.local.

The correct local admin account format in VCF 9 is admin@local — set during the VCF bringup wizard.

Get API Token

TOKEN=$(curl -sk -X POST \
  https://localhost/v1/tokens \
  -H 'Content-Type: application/json' \
  -d '{"username":"admin@local","password":"<your-sddc-admin-password>"}' \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['accessToken'])")
echo $TOKEN

Success: Once admin@local was used with the correct bringup password, the API returned a full JWT access token with ADMIN scope — confirming the authentication method for all subsequent VCF 9 API calls.

Get vIDM Configuration

curl -sk -X GET \
  https://localhost/v1/vidu/configuration \
  -H "Authorization: Bearer $TOKEN" \
  | python3 -m json.tool

Get NSX Manager Details

curl -sk -X GET \
  https://localhost/v1/nsx-managers \
  -H "Authorization: Bearer $TOKEN" \
  | python3 -m json.tool

Get SDDC Manager Certificate Thumbprint

echo | openssl s_client -connect edi-vcf01.edi.vcflab.local:443 2>/dev/null \
  | openssl x509 -noout -fingerprint -sha256 \
  | sed 's/://g' \
  | awk -F= '{print $2}'

Register vIDM on NSX Manager

NSX_IP="<your-nsx-manager-ip>"

curl -sk -X PUT \
  https://$NSX_IP/api/v1/node/aaa/providers/vidm \
  -u "admin:<nsx-admin-password>" \
  -H "Content-Type: application/json" \
  -d '{
    "vidm_enable": true,
    "host": "edi-vcf01.edi.vcflab.local",
    "thumbprint": "<THUMBPRINT>",
    "client_id": "<CLIENT_ID>",
    "client_secret": "<CLIENT_SECRET>",
    "node_host_name": "<nsx-manager-fqdn>"
  }' \
  | python3 -m json.tool

---

Key Learnings & Gotchas

• VCF 9 local admin format is admin@local — not admin, not admin@vsphere.local. This is new in VCF 9 and caught me out across multiple token attempts.
• Bind DN must be full Distinguished Name — viDB rejects UPN format for the bind user. Always use CN=user,OU=...,DC=...,DC=local.
• Embedded viDB only supports one group/user OU — unlike standalone Workspace ONE Access. Point it at the parent OU to capture all child objects.
• ADFS is not required for VCF lab identity — AD over LDAP covers all VCF identity needs for a lab or PoC. ADFS/OIDC is only needed for production federated identity scenarios.
• VCF 9 is fully microservices-based — there is no monolithic sddc-manager.service. Services run as individual systemd units (commonsvcs, domainmanager, lcm, operationsmanager) fronted by nginx on port 443.
• NSX SSO registration has no GUI button in this build — the API path via /api/v1/node/aaa/providers/vidm is the supported workaround.

---

What's Next

With identity configured end-to-end, the next steps in the VCF 9 home lab build are:

• NSX T0 Gateway deployment and BGP peering with the Arista DCS-7050TX (currently in Idle(NoIf) state)
• NSX T1 Gateway and segment configuration
• Workload domain expansion
• Automation via Terraform VMware provider against the VCF API

---

Farrukh Hanif — Senior Cloud Architect & NSX/VCF Engineer
linkedin.com/in/farrukhhanif
VCIX6-NV | VCP-VCF9 | VCAP-NV Design | CKS | CKA | AWS SA Pro

VCF 9 vIDM viDB NSX SDDC Manager Active Directory Home Lab VMware Broadcom Identity SSO PowerShell

VCF 9 Home Lab: Deploying a Dual-Site NFS Server on ESXi 9

Lab SeriesNetworkingStorageVCF 9

With the Arista DCS-7050TX-64-R fully configured for dual-site VCF 9 — VLANs, port-channels, SVIs, and BGP all in place — the next dependency before SDDC Manager deployment is shared storage. This post covers deploying a single Ubuntu NFS server on the R630-1 management host to serve both sites, and validating the end-to-end NFS path from ESXi.

Architecture overview

The design is deliberately simple: R630-1 runs ESXi 9 as its hypervisor, and a single Ubuntu 24.04 VM (nfs-server-01) runs on top of it with two vNICs — one on each site's NFS VLAN. Both Site 1 and Site 2 ESXi cluster hosts mount datastores from this single VM. The Arista switch handles inter-VLAN routing between the two NFS subnets via the Vlan1115 and Vlan1215 SVIs configured previously.

Figure 1 — R630-1 runs ESXi 9 as its hypervisor. The Ubuntu NFS VM (nfs-server-01) runs on top with two vNICs on VLAN 1115 (Site 1, 10.11.15.x) and VLAN 1215 (Site 2, 10.12.15.x). ESXi cluster hosts in each site mount NFS from the corresponding vNIC IP. The Arista switch provides inter-VLAN routing.

Why a VM, not bare metal Ubuntu? R630-1 is the management host — it also runs the NFS datastore for vCenter and SDDC Manager tooling. Keeping NFS in a VM lets you snapshot it, rebuild it, or migrate it without touching the host. It also avoids the circular dependency where NFS is needed to boot the host that serves NFS.

Network prerequisites

These were configured in the previous Arista post but are worth verifying before proceeding. The two NFS SVIs on the switch must be up before the Ubuntu VM can route to ESXi hosts.

VLAN	Name	Subnet	Arista SVI IP	MTU	Purpose
1115	NFS-S1	10.11.15.0/24	10.11.15.1	9000	Site 1 NFS traffic
1215	NFS-S2	10.12.15.0/24	10.12.15.1	9000	Site 2 NFS traffic

Verify from the switch:

show interface Vlan1115
show interface Vlan1215

Both should show line protocol is up (connected) once R630-1 is cabled into Et25–28 and the NFS VM vNICs are active.

R630-1 VM deployment

VM specification

Parameter	Value	Notes
VM name	nfs-server-01
OS	Ubuntu Server 24.04 LTS	Minimal install
vCPU	4	NFS is I/O bound, not CPU bound
RAM	16 GB	Allows generous read-ahead caching
OS disk	60 GB thin	Local RAID on R630-1 H330
Data disk	1 TB+ thin	Backing store for all exports
vNIC 1	VLAN 1115 port group	Site 1 NFS — 10.11.15.10/24
vNIC 2	VLAN 1215 port group	Site 2 NFS — 10.12.15.10/24

MTU matters: Set both vNICs to MTU 9000 to match the Arista SVI and VMkernel port MTU. Mismatched MTU causes silent fragmentation and NFS performance collapse under load. Validate end-to-end after deployment with a large-frame ping test.

Ubuntu NFS server installation

Step 1 — Install the NFS kernel server

sudo apt update && sudo apt install -y nfs-kernel-server

Step 2 — Configure jumbo frames on both vNICs

Edit /etc/netplan/00-installer-config.yaml (adjust interface names to match your VM — check with ip link):

network:
  version: 2
  ethernets:
    ens192:
      addresses: [10.11.15.10/24]
      routes:
        - to: 10.11.0.0/16
          via: 10.11.15.1
      mtu: 9000
    ens224:
      addresses: [10.12.15.10/24]
      routes:
        - to: 10.12.0.0/16
          via: 10.12.15.1
      mtu: 9000

Apply the configuration:

sudo netplan apply
ip link show ens192 | grep mtu
ip link show ens224 | grep mtu

Both interfaces should show mtu 9000.

Step 3 — Create export directories

sudo mkdir -p /exports/vcf-s1-shared
sudo mkdir -p /exports/vcf-s2-shared
sudo mkdir -p /exports/vcf-backups
sudo mkdir -p /exports/vcf-images
sudo chmod 777 /exports/vcf-s1-shared /exports/vcf-s2-shared
sudo chmod 777 /exports/vcf-backups
sudo chmod 755 /exports/vcf-images

Export path	Accessible from	Purpose	Mode
/exports/vcf-s1-shared	10.11.15.0/24	Site 1 VM datastore, shared VMDKs	rw
/exports/vcf-s2-shared	10.12.15.0/24	Site 2 VM datastore, shared VMDKs	rw
/exports/vcf-backups	Both subnets	SDDC Manager, NSX, vCenter backups	rw
/exports/vcf-images	Both subnets	ESXi ISOs, VCF bundle staging	ro

Step 4 — Configure /etc/exports

sudo tee /etc/exports <<'EOF'
/exports/vcf-s1-shared  10.11.15.0/24(rw,sync,no_subtree_check,no_root_squash,anonuid=0,anongid=0)
/exports/vcf-s2-shared  10.12.15.0/24(rw,sync,no_subtree_check,no_root_squash,anonuid=0,anongid=0)
/exports/vcf-backups    10.11.15.0/24(rw,sync,no_subtree_check,no_root_squash) 10.12.15.0/24(rw,sync,no_subtree_check,no_root_squash)
/exports/vcf-images     10.11.15.0/24(ro,sync,no_subtree_check) 10.12.15.0/24(ro,sync,no_subtree_check)
EOF

no_root_squash is required for VCF: SDDC Manager and vCenter need root-level NFS access during deployment and backup operations. Without this option, file operations will fail with permission errors during the management domain build.

Step 5 — Apply exports and enable the service

sudo exportfs -arv
sudo systemctl enable --now nfs-kernel-server
sudo systemctl status nfs-kernel-server

Expected output from exportfs -arv:

exporting 10.11.15.0/24:/exports/vcf-s1-shared
exporting 10.12.15.0/24:/exports/vcf-s2-shared
exporting 10.11.15.0/24:/exports/vcf-backups
exporting 10.12.15.0/24:/exports/vcf-backups
exporting 10.11.15.0/24:/exports/vcf-images
exporting 10.12.15.0/24:/exports/vcf-images

Step 6 — Firewall

Ubuntu 24.04 ships with ufw inactive by default. If you have enabled it:

sudo ufw allow from 10.11.15.0/24 to any port nfs
sudo ufw allow from 10.12.15.0/24 to any port nfs
sudo ufw reload

NFS version — why NFSv3 for VMware

Use NFSv3, not NFSv4. vSphere supports NFSv4.1 but NFSv3 is the standard choice for VCF lab environments for several reasons: no stateful locking complexity, simpler troubleshooting, full support for all VCF datastore operations, and no Kerberos dependency. Unless you specifically need NFSv4.1 features (pNFS, delegations), stick with v3.

Validation — end-to-end MTU test

Before mounting NFS from ESXi, validate that jumbo frames traverse the full path without fragmentation. Run from an ESXi host on the NFS VMkernel:

# From ESXi host SSH — VMkernel on VLAN 1115
vmkping -I vmk2 -d -s 8972 10.11.15.10

The -d flag sets the DF (don't fragment) bit. The payload size 8972 bytes + 28 bytes IP/ICMP header = 9000 bytes total. A successful result confirms end-to-end MTU 9000 with no fragmentation across: ESXi VMkernel → vSwitch → Arista trunk → SVI → NFS VM vNIC.

If vmkping fails with 8972 but passes with a smaller payload — check MTU on the VMkernel port group (must be 9000), the vSwitch uplink (must be 9000), and the Arista port-channel MTU (9214 on this switch). The NFS VM vNIC MTU (9000 set above) is the ceiling for NFS traffic.

Mounting NFS from ESXi

Once validated, add the NFS datastore from vCenter — Datastores → New Datastore → NFS → NFSv3:

Field	Site 1 value	Site 2 value
NFS server	10.11.15.10	10.12.15.10
NFS share	/exports/vcf-s1-shared	/exports/vcf-s2-shared
Datastore name	vcf-s1-nfs-shared	vcf-s2-nfs-shared
Access mode	Read/Write	Read/Write

Or via ESXCLI if vCenter is not yet deployed:

# Site 1 host
esxcli storage nfs add -H 10.11.15.10 -s /exports/vcf-s1-shared -v vcf-s1-nfs-shared

# Site 2 host
esxcli storage nfs add -H 10.12.15.10 -s /exports/vcf-s2-shared -v vcf-s2-nfs-shared

Verification commands — NFS server side

# Check what is currently exported and mounted
sudo exportfs -v
sudo showmount -e localhost

# Check active NFS client connections
sudo ss -tnp | grep :2049

# Check NFS server statistics
nfsstat -s

What this enables for VCF 9

With NFS validated, SDDC Manager can now be pointed at the NFS datastores for:

• SDDC Manager backup repository (/exports/vcf-backups)
• vCenter appliance deployment staging
• NSX Manager configuration backups
• ESXi ISO and VCF bundle staging (/exports/vcf-images)
• Shared VM storage for management workloads

Next post

With switch config and NFS in place, the next post covers VCF 9 management domain deployment — running SDDC Manager, validating the host commission checklist, and working through the first real deployment error (there's always one).

Lab hardware reference: R630-1 — Dell PowerEdge R630, 368 GB RAM, dual Xeon, H330 RAID controller. Running ESXi 9 as the hypervisor. The Ubuntu NFS server (nfs-server-01) is a VM on top of ESXi — not a bare-metal install. Cabled into Arista Et25–Et28 (trunk, VLAN 1111 native, all VCF VLANs allowed, MTU 9000).