Question 15 - VMware 2V0-21.23 (PSE) Real Exam Questions [Jan 2026 Update]

Q: 15

An administrator is tasked with configuring an appropriate Single Sign-On (SSO) solution for VMware vCenter based on the following criteria: • The solution should support the creation of Enhanced Link Mode groups. • All user accounts are stored within a single Active Directory domain and the solution must support only this Active Directory domain as the identity source. • All user account password and account lockout policies must be managed within the Active Directory domain. • The solution should support token-based authentication. Which SSO solution should the administrator choose based on the criteria?

Options

Correct Answer:

Explanation

vCenter Identity Provider Federation with Active Directory Federation Services (ADFS) is the correct solution. This configuration delegates the authentication process from vCenter to ADFS. ADFS, in turn, uses Active Directory as its user store, which satisfies the requirement for password and account lockout policies to be managed by AD. This federated model is inherently token-based, typically using OpenID Connect (OIDC) or SAML tokens to communicate authentication and authorization data between ADFS (the Identity Provider) and vCenter (the Service Provider). This architecture is fully compatible with Enhanced Linked Mode and meets all the specified criteria.

Why Incorrect

B. vCenter Single Sign-On with Active Directory over LDAP as the identity source

This is a direct integration, not a federated, token-based model. vCenter binds to AD to authenticate users, rather than trusting an external identity provider that issues security tokens.

C. vCenter Single Sign-On with Active Directory (Windows Integrated Authentication) as the identity source

This identity source type (IWA) has been deprecated since vSphere 7.0 and is not a recommended solution for new deployments.

D. vCenter Identity Provider Federation with Active Directory over LDAP as the identity provider

This option is technically incoherent. Identity Provider Federation connects to an Identity Provider (like ADFS), not directly to an identity source type like "Active Directory over LDAP."

References

1. VMware vSphere Documentation

"vSphere Security"

Section: "Understanding vCenter Server Identity Provider Federation". This section states

"vCenter Server trusts an external identity provider (IDP) to authenticate a user... The IDP informs vCenter Server whether the user authenticated successfully by sending it a cryptographic token." This confirms the token-based approach and the delegation of authentication

which ensures AD policies are used.

2. VMware vSphere Documentation

"vSphere Security"

Section: "Configuring vCenter Server to Use Active Directory Federation Services (ADFS)". This guide explicitly details the process of using ADFS as the external identity provider

which uses Active Directory as its backend user store

meeting the criteria.

3. VMware vSphere Documentation

"vSphere Security"

Section: "vCenter Single Sign-On Identity Sources". This section describes the traditional identity sources and includes a note stating

"The Active Directory (Windows Integrated Authentication) identity source is deprecated in vSphere 7.0." This officially marks option C as incorrect for modern deployments.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE