vSphere Single Sign On? Rethink Your Architecture

This post has already been read 25486 times!

vSphere Single Sign On (SSO) is a new feature in vSphere 5.1, introducing a standalone service that act as an authentication broker for various VMware products such as vCenter Server, vCloud Director, VCO, vShield Manager or VMware Horizon. SSO is a critical component that is required before any other vSphere 5.1 component is installed or upgraded!

Single Sign On (SSO) uses SSL certificates to encrypt network traffic between for example vCenter Server and Horizon. VMware uses standard certificates by default, but users can replace these certificates with those signed by a trusted certificate authority to comply with security policies.

Also when you are designing a new or you upgrade to vSphere 5.1, especially when you are using more than one vCenter in your environment SSO requires careful planning.

Multisite setup? Rethink your architecture before upgrading

I have had multiple multisite customers (which also run multiple vCenter servers) that just wanted to upgrade to vSphere 5.1. Before you do this make sure you need to make a decision between a MultiSite or HA Deployment of SSO:

Multisite Single Sign On

Multisite Single Sign On deployment is designed only for faster local access to authentication–related services. It does not provide failover between Single Sign On servers on different sites. When the Single Sign On instance on one site fails, its role is not taken over by a peer Single Sign On instance on another site. All authentication requests on the failed site will fail, even if peer sites are fully functional. Please read this KB Article Installing vCenter Single Sign On in a multisite deployment

High Available SSO

Configure vCenter Single Sign On for High Availability (HA) by installing two nodes in HA mode and putting them behind load balancing software. In HA mode, both the nodes work with the same shared database, use the same data, and have the same user stores. Please read this KB Article Configuring vCenter Single Sign On for High Availability

In many cases I just want to have my SSO High Available. When you have multiple vCenter Servers instances you can link them to the same SSO instance on the same site.

If geographical sites are used with multiple vCenter servers, you can still utilize a central clustered environment, however a multisite configuration is recommended.

Many people who have tried to upgrade to vSphere 5.1 have reported various SSO-related failures. If you run into trouble you might want to check out the following published KB articles:

Resolution Paths to solve SSO troubles:

• Troubleshooting Single Sign On (SSO) issues in vCenter Server 5.1
• Troubleshooting vCenter Single Sign On when it does not start

Installation and Deployment

• Single Sign On installation details matrix (2036922)
• How vCenter SSO Deployment Scenarios Affect Log In Behavior
• Setting up Apache load balancing software with vCenter Single Sign On (2034157)
• Troubleshooting VMware Single Sign-On configuration and installation issues in a Windows server (2033880)
• Configuring SSO for HA (2033588)
• Manually Replicate Data in a Multisite vCenter Single Sign On Deployment
• Installing vCenter Single Sign On in a multisite deployment (2034074)
• Deploying SSO at each site in multi site mode
• SSO server Deployment Modes

Configuration

• Replacing Default SSL Certificates for vCenter components (pdf)
• When you log into the vSphere Client, linked vCenter Server systems do not appear (2033213)
• vCenter Single Sign On and dependent services fail to start after you reboot the system (2032749)
• After updating SSL certificate for SSO, a newly installed instance of VC fails to start (2033215)
• Unable to connect to vCenter Inventory Service (2032356)
• Repointing and reregistering vCenter Server and components (2033620)
• Configuring SSO for HA (2033588)
• Troubleshooting SSO on Windows (2033208)
• vCenter Single Sign On fails to start at startup or initialization (2033164)
• Troubleshooting Single Sign On with the vCenter Server Appliance configuration on an external database (2033624)
• Troubleshooting vCenter Server Appliance configuration with an external vCenter Single Sign On server (2033737)
• Troubleshooting Single Sign On and Active Directory domain authentication with the vCenter Server Appliance (2033742)
• Change the vCenter Single Sign On Mode in VCVA
• Update vCenter Single Sign On settings after you change the hostname or port of the database server (2033516)

Admin and Login

• Troubleshooting SSL certificates updates and SSO (2033240)
• Troubleshooting vSphere Web Client login errors (2033253)
• Troubleshooting SSO on VCVA (2033338)
• Updating SSL certificates for vCenter Single Sign On servers behind a load balancer (2034181)
• Unable to log in to vCenter Server with the vSphere Client (2034798)

links borrowed from http://blogs.vmware.com/kb/2012/10/vsphere-sso-resources.html