Change permission validation settings

As described previously, the SSO component can have different identity sources. When a directory service (such as AD or LDAP) is used, the SSO regularly validates users and groups on the directory domain. This validation occurs at regular intervals, specified in the vCenter Server settings.

You can view or change these settings with the vSphere Web Client by selecting your vCenter Server in the vSphere object navigator and then selecting the Configure tab and clicking on General under Settings.

Select the User directory area, and view or change the values as needed:

There are different options and settings, as follows:

• User directory timeout: This is the maximum amount of time, in seconds, that SSO allows a search to run on the selected domain source. For large domains, this can be increased.
• Query limit: This helps you to define whether there must be a maximum number of users and groups that vCenter can display.
• Query limit size: This is the maximum number of users and groups that vCenter displays in the Select Users or Groups dialog box. If you enter 0 (zero) or remove the previous option, all users and groups will appear.
• Validation: This is used to define whether validation is enabled or disabled.
• Validation period: This is how often, in minutes, validation is performed.

For more information, refer to the vCenter Server and Host Management Guide (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.vcenterhost.doc/GUID-007C02A8-C853-4FBC-B0F0-933F19768DD4.html).