Total Pageviews

My YouTube Channel

Friday, 11 January 2013

vCenter Single Sign On FAQ


This article provides answers to frequently answered questions about vSphere Single Sign On.



This article answers questions in these subject areas:

General questions

What is vCenter Single Sign On (SSO)?

vCenter Single Sign On (SSO) is a component of the VMware Cloud Suite. SSO deals with identity management for administrators and applications that interact with the vSphere platform.

SSO is based on identity management technology built by RSA and specifically tailored for VMware Cloud Infrastructure deployment.

What are the key capabilities of SSO?
  • SSO can add multiple AD domains, OpenLDAP, and the local operating system where SSO is deployed. It also lets you create local users and groups.
  • SSO now allows VMware vSphere to connect to a non-AD Identity Source – OpenLDAP.
  • SSO supports SAML 2.0 standard and WS-TRUST – both of which are open industry standards.
  • SSO lets users delegate tasks to solutions that can run as the identity of the user.
  • SSO supports identity delegation for long-lived tasks with the ability to renew tokens.

Is SSO a replacement for my Active Directory or LDAP setup and management?

No. SSO only federates authentication and principal data queries to your Active Directory or LDAP instances. It does not allow for managing your AD or LDAP data.

Do I need an Active Directory or LDAP setup to use SSO?

No. SSO has its own internal user store. You can manage all principal data in it, using the SSO admin interface in the vSphere Web Client. You can also assign vCenter Server privileges to users and groups from this internal datastore. Alternatively, you can also point SSO to users residing in the OS where you deployed SSO.

Does SSO replace VMware's Horizon Identity Manager?

No. Horizon is aimed at providing identity management in layer-3 of the VMware product suite.

How does SSO work?

SSO is an authentication service that implements the brokered authentication architectural pattern.

The SSO server provides an authentication interface called Security Token Service (STS).

Clients send WS-Trust authentication messages to the STS, which checks the user's credential against one of the attached identity sources. Upon successful authentication, STS generates a SAML 2.0 token.

There are two points of exposure: The SSO Server and the vCenter Server. The vCenter Server uses the token to perform operations on behalf of the primary user. From the client's perspective, the vCenter Server stands between the client and any vSphere services that the client can use via the vCenter Server.

How is SSO Licensed?

SSO is an integral part of vCenter Server and is not a licensable feature. It is available with all licensable versions of vCenter Server.

SSO is not available with the freely downloadable version of vSphere.

What versions of vCenter Server does SSO work with?

SSO works with vCenter Server 5.1.

Do existing vSphere applications (such as Site Recovery Manager and vCenter Operations) work with SSO?

SSO exposes a new authentication API. However, the old API continues to exist for applications that are already integrated with vCenter Server. All existing applications that have not yet migrated to the SSO APIs will continue to work with vCenter Server 5.1, just as they work with vCenter Server 5.0.

How is SSO packaged?

SSO is available as a Windows installable package. SSO is also embedded within the vCenter Server Appliance.

What is the upgrade process for vCenter Server with SSO in the mix?

vCenter Server 5.1 needs SSO to run. Upgrades of vCenter Server to version 5.1 include the mandatory SSO installation step, followed by upgrading the Inventory Service and vCenter Server and pointing it to the installed SSO instance.

What are the compatibility requirements for SSO?

The compatibility requirements for SSO are the same as those for vCenter Server.

What is the memory and HDD consumption of the SSO server itself?
  • 400 MB RAM on average, and up to 1 GB RAM
  • 200 MB HDD without the logs
  • Up to 5 GB HDD for the logs (for the long run)

What is the deployment model for SSO?

For more information, see the vCenter Single Sign On Deployment Modes section in the vSphere Installation and Setup Guide.

What is the deployment model for vCenter Server with SSO?

For more information, see the How vCenter Single Sign On Affects vCenter Server Installation and Upgrades section of thevSphere Upgrade Guide.

Why would I install SSO on a separate machine from vCenter Server?

If SSO is on the same machine as one of your vCenter Servers, and the machine goes down, you will lose not only that vCenter Server, but also the ability to log into all your other vCenter Servers.

Why would I install SSO on the same machine as vCenter Server?

vCenter and SSO on the same machine is the default configuration, if you have only one vCenter Server instance.

How many vCenter Servers can an SSO instance serve?

SSO poses no restriction on the number of vCenter Servers registered to it.

What happens when the SSO server is down?

When SSO is down, any operation that requires authentication or session validation cannot function. This implies some vCenter capabilities will not be available. It also implies users cannot connect to vCenter or the Web Client. The hypervisor layer continues to work as usual and your workloads continue to run.

Is SSO available in High Availability mode?

For more information, see the vCenter Single Sign On Deployment Modes section in the vSphere Installation and Setup Guide.

How does SSO back up and restore data?

SSO stores data in a database similar to vCenter Server. The sensitive database data is encrypted with an encryption key, which should be backed up after installation.

Can SSO be used with vCenter Server Heartbeat?

Yes. vCenter Server Heartbeat can be also used to protect SSO.

How does SSO integrate with the vSphere Client?

SSO does not integrate with the vSphere Client. However, when you log in through the vSphere Client, vCenter Server sends the authentication request to SSO.

How does SSO integrate with the vSphere Web Client?

SSO is very closely integrated with the vSphere Web Client. Administrators must authenticate to SSO as part of the Web Client login process.

The SSO configuration and management UI is integrated into the vSphere Web Client.

Can I disable SSO and revert to the old method of authentication in vCenter Server?


Is there a published API associated with SSO?

Yes. A client can use the vCenter Single Sign On API to obtain a SAML token. The client can then use that token to establish a vCenter session. The SSO Server presents a WSDL-based API that supports a subset of the WS-TRUST and WS-SECURITY standards. For more information, see the vCenter Single Sign On Programming Guide.

Is there an SSO SDK that I can reference?

Yes. The SDK can be downloaded from My VMware.

SSO database questions

Can I use Windows Authentication for the MSSQL database user name and password, as the JDBC Setup screen implies?

No. For MSSQL databases, you must use SQL Server Authentication database users. Windows Authentication users are not supported. For more information, see Connection to the MSSQL database fails during vCenter Single Sign On installation section of the VMware vSphere 5.1 Release Notes

What SQL access rights does the database user require?

The database user you specify during installation must have the DBA privilege. However, you can grant the DBA privilege just before you encounter this screen in the installer and revoke the privilege after installation is complete. For more information about required database users and permissions, see Required Information for Installing or Upgrading vCenter Single Sign On, Inventory Service, and vCenter Server section in the vSphere Installation Guide.

Is the database user that I specify during installation a separate user from the RSA_USER and RSA_DBA (the database users that are created during SSO installation)?

Yes. The database user you specify during installation is used to create the users RSA_USER and RSA_DBA. For more information, see the Required vCenter Single Sign On Database Users section of the vSphere Installation and Setup Guide.

Do RSA_USER and RSA_DBA need to be SQL users?


When the installer creates RSA_USER and RSA_DBA, it assigns a password that does not meet my organization's password complexity requirements. Can I change the password for these automatically created users?

No, but you have the option to manually specify created users rather than allowing the installer to create these users for you. Manually create RSA_USER and RSA_DBA before you begin the installation process and assign a password that meets your requirements. Enter the names and passwords of the users when you run the installer. VMware provides optional scripts that you can run to create the required database users. For more information, see the Required vCenter Single Sign On Database Userssection of the vSphere Installation and Setup Guide.

Why are the RSA_DBA and RSA_USER users required, and what SQL access rights do they require?

RSA_DBA is used for creating the schema (DDL) and requires DBO permissions. RSA_USER reads and writes data (only DML). For a list of the required access rights, see the Required vCenter Single Sign On Database Users section of the vSphere Installation and Setup Guide.

What information is stored in the SSO Database?

The SSO database stores system users and groups, SSO configuration information, and connection details for the attached identity sources, including domain accounts.

Why does the SSO administration interface in the vSphere Web Client display information about locked and disabled domain accounts?

The SSO administration interface provides a single view of all attached identity sources, including Active Directory domain accounts. The SSO administrator does not need to open the Active Directory management interface to view information about locked or disabled domain accounts.

SSO application questions

Can I change the SSO administrator user name from admin@System-Domain to another user name?

The admin@System-Domain user name cannot be changed. It is similar to the Administrator user name on a Windows system. You can disable admin@System-Domain after you grant SSO administrator privileges to another user. The user is only necessary when you perform HA/multisite setup or recovery.

When configuring vCenter with an external SSO, which user should I specify for Account with right to register vCenter with the SSO server?

Specify a user with SSO administrative privileges. If your SSO runs on the vCenter Server Appliance (VCSA), this is the root user of the operating system encapsulating the appliance. If your SSO runs on Windows, this user is admin@system-domain with the password you picked during installation.

What Single Sign On deployment modes are possible with the vCenter Server Appliance?

Only basic mode is supported with the vCenter Server appliance at this time. Windows SSO is currently required to deploy in HA or Multi-Site Modes.

Which user should I specify for Account that will be assigned as vCenter administrator?

You can specify any user, but VMware recommends picking the operating system administrator ("root", "Administrators") or the administrators group ("root", "Administrators").

During the installation process, the installer appears to initiate a scan of the Active Directory domains to automatically add them as identity sources. Can I disable this functionality?

The installer does not scan Active Directory domains. It only verifies that it can connect to the Active Directory identity source and configure connection data.

During the installation process, I get the error, Identity source discovery error. Is this related to the installer's scan of the Active Directory domains in my environment?

No. This error is usually due to an incorrect configuration of the environment.

How many vCenter Single Sign On servers can be part of a High Availability SSO cluster?

There is no limit to the number of SSO systems you can add to a High Availability SSO cluster.

Is a multisite configuration made up of multiple instances of High Availability SSO clusters in separate physical sites?


Do the clusters of a multisite configuration share one common global database, or is a database aligned to each cluster?

A database is aligned to each cluster.

Do clusters in a multisite configuration have any form of federation?

You can run manual replication scripts to synchronize the data across a multisite configuration. For more information, see theManually Replicate Data in a Multisite vCenter Single Sign On Deployment section of the vSphere Security Guide.

When we configure an Active Directory identity source, we are required to use the Password Authentication type because Active Directory is locked down in our organization. What rights does this user require?

The user you specify when you choose Password Authentication requires read-only access to Base DN for users and groups.

vCenter Single Sign On seems to use auto-generated certificates. Can we replace these certificates with internally generated certificates?

Yes. For more information, see Replacing Default vCenter 5.1 and ESXi Certificates on the Technical Resources page

Can we mix components from the vCenter Server Appliance and Windows stack? For example, could a Windows-based vCenter Server installation use SSO services provided by an SSO instance on a vCenter Server Appliance?

Yes. You can point vCenter Server Appliance and Windows-based vCenter Server installations to SSO instances installed on either platform.

How can I split out vCenter components such as SSO, vCenter Server, and the vSphere Web Client to comply with placement strategies for optimal failover and availability?

For more information, see vSphere Installation and Setup.