Total Pageviews

My YouTube Channel

Monday, 8 September 2014

VMware vCenter Single Sign-On Server 5.5 FAQs (2057799)


This article provides answers to some of the frequently asked questions about VMware vCenter Server Single Sign-On 5.5 (SSO).


For answers to FAQs on various topics, see:

    General Questions

    What is vCenter Single Sign-On 5.5 (SSO)?

    vCenter Single Sign-On (SSO) is a component of the VMware Cloud Infrastructure Suite. SSO deals with identity management for administrators and applications that interact with the vSphere platform.

    How is SSO 5.5 different from SSO 5.1?
    The architecture remains the same. However, there are a lot of changes in SSO 5.5. To get a list of all the changes, see What’s New in VMware vSphere 5.5 platform.

    What are the key capabilities of SSO 5.5?
    • SSO 5.5 is now a multi-master model.
    • It has a built-in feature for automatic replication between different SSO sites.
    • It does not have a database.
    • There is only one single default domain for the identity sources. 
    What are the components that are installed with SSO 5.5?
    Components that are installed with SSO 5.5 include:
    • VMware Certificate Services
    • VMware Directory Services
    • VMware Identity Management Services
    • VMware KDC Services
    • VMware Secure Token Services 
    What are the different products/components with which SSO 5.5 is supported?
    SSO 5.5 is supported with:
    • VMware vCenter Server
    • VMware vCenter Inventory Services
    • VMware vSphere Data Protection
    • VMware vCenter Orchestrator
    • VMware vSphere Web Client
    • VMware Log Browser
    • VMware vShield Manager
    Note: VMware vCloud Director is partially integrated with SSO.
    How is SSO 5.5 packaged?

    vCenter Single Sign-On is available as a Windows installable package. SSO is also embedded within the vCenter Server Appliance (VCSA).

    What Single Sign-On deployment modes are possible with the vCenter Server Appliance? With Windows-based vCenter Server?

    Currently, basic mode is supported with the vCenter Server Appliance. The vCenter Server Appliance can be pointed to a separate vCenter Single Sign-On instance if you need a High Availability (HA) configuration.

    The Windows-based SSO is currently required to deploy a highly available or geographically disperse (multisite) implementation. For more information, see Identifying the vCenter Single Sign-On server deployment mode (2035817).

    What are the minimum requirements to run SSO 5.5?
    • Processor - Intel or AMD x64 processor with two or more logical cores, each with a speed of 2 GHz
    • Memory - 3 GB
    • Disk storage - 2 GB
    • Network speed - 1 Gbps

    What happens when the SSO 5.5 server is down?

    If the SSO 5.5 server is down, you cannot log in to vCenter Server or any of the components that depends on it.

    Note: Your vCenter Server will be still up and running, but without the management interface.

    Do I need a database to successfully install/runSSO 5.5?

    No, you do not need a database with SSO 5.5.

    How to backup and restore SSO 5.5?

    For information on how to backup and restore SSO, see Backing up and restoring the vCenter Single Sign-On 5.5 configuration (2057353).

    How do I create a Service Principal Name (SPN)?

    For instructions to create and use a Service Principal Account in SSO 5.5, see Creating and using a Service Principal Account in vCenter Single Sign-On 5.5 (2058298).

    What are Sites in SSO 5.5?

    A site in SSO identifies different instances of your SSO server. You can name them in an intuitive way for easier implementation.

    What are the different types of Identity Sources that can be created with SSO 5.5?
    The different types of Identity Sources that can be created with SSO 5.5 include:
    • Active Directory (Integrated Windows Authentication)
    • Active Directory as an LDAP server
    • OpenLDAP
    • Local OS
    For more information, see Identity Sources for vCenter Server with vCenter Single Sign-On in the vSphere 5.5 Security Guide.

    How do we generate the SSO Support Bundle for VCSA?

    The vCenter Server support bundle contains logs and also the information for SSO. Therefore, you need to collect only one support bundle for vCenter Server Appliance 5.5. To collect the support bundle from the command line, run the /usr/sbin/ command.

    Upgrade Questions

    How do I upgrade from SSO 5.1 to SSO 5.5?

    What happens to the database that I have with SSO 5.1?

    After upgrading to SSO 5.5, the old SSO database is no longer needed. However, the database is not removed from your database server during the upgrade. You must manually remove the database and all users associated with it.

    After upgrading, will SSO retain my old Identity Sources?

    Yes, all your old Identity Sources are retained after the upgrade.

    In SSO 5.1, my SSO domain was system-domain and the administrator user was the admin. Will I still be able to log in using the same username in SSO 5.5?

    Yes, you can continue to log in to your SSO server with the old user (admin@system-domain) and password.

    Will SSO 5.5 work with vCenter Server 5.1?

    Yes, SSO 5.5 works with vCenter Server 5.1. However, VMware recommends you to upgrade to vCenter Server to 5.5 along with your SSO.

    Best Practices

    What are the best practices for installing SSO 5.5?

    What are the best practices for upgrading to SSO 5.5?

    How many SSO server can exist behind a load balancer?

    With the use of a load balancer, there can be a maximum of 5 SSO server.

    Is there any way to add Identity Source through command line?

    No, currently there is no way of adding an Identity Source.

    Application Questions

    Can we change the SSO 5.5 administrator username from administrator@vsphere.local to another user name?

    No, SSO 5.5 administrator username cannot be changed from administrator@vsphere.local to another user name. You can, however, create a separate administrator user for this purpose.

    Do I still need to have a master password with SSO 5.5?

    No, there is no Master password anymore. By default, administrator@vsphere.local, is the SSO administrator in SSO 5.5.

    SSO 5.5 uses its auto-generated certificates. Can we replace these certificates with custom generated certificates?

    Yes, you can change the auto-generated certificates to custom generated SSL certificates.

    Can I disable SSO 5.5 in vCenter Server?

    No, you cannot disable SSO 5.5 in vCenter Server 5.5. This is similar to vSphere 5.1.

    Is NTLM authentication still supported? If yes, does does this mean that NT4 domains can also be authenticated?

    No, NTLM authentication is no longer supported with SSO 5.5.

    Where is the vdcbackup utility stored in VCSA?

    The location for vdcbackup in VCSA is /usr/lib/vmware-vmdir/bin/vdcbackup.

    Can I configure multiple default domains in SSO 5.5?

    No, there can only be one default domain.

    How to verify a successful SSO 5.5 installation?

    To verify if the SSO 5.5 installation is successful, open the link https://FQDN:7444/lookupservice/sdk after checking the status of the SSO services.