Archive for SSO

Installing SSO as part of the vSphere 5.x Upgrade process



vSphere 5.1 introduces vCenter Single Sign On as part of the vCenter Server management infrastructure. This change affects vCenter Server installation, upgrading, and operation. Authentication by vCenter Single Sign On makes the VMware cloud infrastructure platform more secure by allowing the vSphere software components to communicate with each other through a secure token exchange mechanism, instead of requiring each component to authenticate a user separately with a directory service like Active Directory

How vCenter Single Sign-On Affects vCenter Server Upgrades

  • When you upgrade to vCenter Server 5.1, the upgrade process installs vCenter Single Sign-On first and then upgrades vCenter Server.
  • In upgrades to vCenter Server versions earlier than vCenter Server 5.1, both the local operating system users and Active Directory users that are registered with vCenter Server before the upgrade continue to work with the upgraded vCenter Server. This behavior changes in vCenter Server 5.1.
  • In vCenter Server 5.1, if vCenter Single Sign-On is running on a virtual machine or physical machine that is joined to an Active Directory domain, Single Sign-On will automatically discover the existing Active Directory domain and add it as an identity source during the Single Sign-On installation process. If Single Sign-On is not running on a virtual machine or physical machine that is in the same domain as Active Directory, you must use the vSphere Web Client to log in to vCenter Server and add the Active Directory domain to Single Sign-On.
  • If you install vCenter Single Sign-On and vCenter Server on the same physical machine or virtual machine, Single Sign-On recognizes existing local operating system users. After the upgrade, you can log in to vCenter Server with a registered local operating system user ID.
  • If you install vCenter Single Sign-On and vCenter Server on different hosts or virtual machines, the former local operating system users who managed login access to vCenter Server are not available to Single Sign-On.
  • When you install vCenter Single Sign-On in multisite mode or clustered high availability mode, all pre-upgrade permissions for local operating system users are lost. In vCenter Server 5.1, the term “local operating system users” refers to those local users in the Single Sign-On host machine instead of the vCenter Server host machine or virtual machine.
  • After the upgrade, if no super administrator remains (the administrative user or group for the root folder), you must provide a valid user or group to be used as super administrator during installation. This situation can occur due to changes in user stores from pre-5.1 to 5.1 versions of vSphere.

vCenter Single Sign-On Deployment Modes

vCenter Server provides several ways to deploy vCenter Single Sign-On to best serve your vSphere environment

You can deploy vCenter Single Sign-On in one of three modes.

  • Basic

Basic Mode installs a standalone version of vCenter Single Sign-On. Multiple vCenter Server and Inventory Service instances can point to it. If the Single Sign-On server or the virtual machine hosting the server fails, administrators cannot access vCenter Server, but ESXi hosts continue to function normally. Multiple Active Directory and OpenLDAP instances can be added as identity sources.

  • High Availability Cluster

Cluster Mode installs to two or more vCenter Single Sign-On Instances in High Availability mode. All instances use the same database and point to the same identity sources. Single Sign-On administrator users, when connected to vCenter Server through the vSphere Web Client, will see the primary Single Sign-On instance.

  • Multisite

Multisite is designed for deployments with multiple physical locations. Installing a Single Sign-On instance at each site allows fast access to local authentication-related services. Each Single Sign-On instance is connected to the local instances of the AD (LDAP) servers and has its own database with local users and groups. In each datacenter, you can install Single Sign-On in standalone or clustered mode, pointing to the identity sources in that location.

Multisite deployment is useful when a single administrator needs to administer vCenter Server instances that are deployed on geographically dispersed sites. To view all vCenter Server instances from a single vSphere Web Client, you must configure the vCenter Server instances in Linked Mode.

vCenter Single Sign On Components

vCenter Single Sign On includes these components: STS (Security Token Service), an administration server, vCenter Lookup Service, and the RSA SSPI service.

When you install vCenter Single Sign-On, the following components are deployed.

  • STS (Security Token Service)

The STS service issues Security Assertion Markup Language (SAML) tokens. These security tokens pass information about a system user between an identity provider and a web service. This service enables a user who has logged on through vCenter Single Sign-On to use multiple web-service delivered applications without authenticating to each one.

  • Administration Server

The Administration Server configures the vCenter Single Sign-On server and manages users and groups.

  • vCenter Lookup Service

The Lookup Service contains topology information about the vSphere infrastructure, enabling vSphere components to connect to each other securely.

  • RSA SSPI service

The Security Support Provider Interface ia a Microsoft Windows based API used to perform authentication against Security Support Providers such as NTLM and Kerberos.

Identity Sources for vCenter Server with vCenter Single Sign On

vCenter Server 5.1 with vCenter Single Sign On adds support for several new types of user repository. vCenter Server versions earlier than version 5.1 supported Active Directory and local operating system users as user repositories. vCenter Server 5.1 supports the following types of user repositories as identity sources.

  • Active Directory
  • OpenLDAP
  • Local operating system
  • System

Required vCenter Single Sign-On Database Users

When you use an existing database rather than the database bundled with vCenter Single Sign-On, the installation process requires database users with certain permissions.

When you install Single Sign-On installation using an existing database, the installer requires you to enter the user names and passwords of an existing database administrator and a database user.

When you install Single Sign-On with the bundled Microsoft SQL Server 2008 R2 Express database, the installer creates two users:

  • A database administrator user (for example, RSA_DBA) and password, which are used to set up the Single Sign-On database schema.
  • A database user (for example, RSA_USER) and password, which are used to perform certain steps after the installation. The installer prompts you to enter the passwords for these users.

The RSA_DB is used for creating the schema (DDL) and requires DBO Permissions. RS_USER reads and writes data (Only DML)

Prerequisite for the vCenter Single Sign On Database

  • Create a vCenter Single Sign On database, unless you plan to install the bundled database.
  • If you are using an existing database with your vCenter Single Sign-On installation or upgrade, make sure that the table spaces are named RSA_DATA and RSA_INDEX. Any other table space names will cause the vCenter Single Sign-On Installation to fail.
  • If you are using an existing database for Single Sign On, to ensure that table space is created for the database, run the script rsaIMSLiteDBNameSetupTablespaces.sql. The script is included in the vCenter Server installer download package, at

vCenter Server Installation directory\Single Sign On\DBScripts\SSOServer\Schema\msssql

  • You can run the script prior to the vCenter Server upgrade, or during the upgrade, when you are prompted by the Single Sign On installer. You can leave the installer to run the script, and resume the installer after you run the script.
  • If you are using an existing database for Single Sign On, you must create a database user (RSA_USER) and database administrator (RSA_DBA) to use for the Single Sign On database installation and setup. To create these users, run the script rsaIMSLiteDBNameSetupUsers.sql. The script is included in the vCenter Server installer download package, at

vCenter Server Installation directory\Single Sign On\DBScripts\SSOServer\Schema\msssql


  • Log into your SQL Management Server
  • Open SQL Management Studio
  • Double click on the first script


  • This will automatically open in SQL Management Studio
  • Read the notes at the top of the script
  • There are several places you need to change paths according to your environment – see below where it says CHANGE ME


  • Next Click Execute on the SQL Management Studio Toolbar
  • It should say Command(s) completed successfully and you should see the newly created RSA Database


  • Next double click on the second script


  • This will open in SQL Management Studio and you will need to modify the passwords as you require as per below


  •  Click Execute
  • It should say Command(s) completed successfully
  • You should now see the following permissions set on the RSA Database Properties


  • And check the Default Security in SQL Management Studio to make sure your users have been created


  • Check the Properties of the RSA_USER account
  • Make sure it is mapped to the RSA Database


  • Check the Properties of the RSA_DBA account
  • Make sure it is mapped to the RSA Database


Procedure following the vCenter SQL Scripts

  • In the software installer directory, double-click the autorun.exe file to start the installer.
  • Select vCenter™Single Sign On and click Install.


  • Follow the prompts in the installation wizard to choose the installer language


  • Agree to the end user patent and license agreements.


  • Select Create the primary node for a new Single Sign On installation.


  • Select Install basic vCenter Single Sign On. Note: Even if you don’t want multiple instances now, you may want them in the future therefore you can keep your options open by selecting the second option – “Create the primary node for a new vCenter Single Sign-On installation


  • Set the password for the vCenter Single Sign-On administrator account.
    The password must have at least eight characters, at least one lowercase character, one uppercase character, one number, and one special character.


  • Select the database type for vCenter Single Sign-On. I am going to use “Use an existing supported database”


  • Enter in the details of your previously created SSO DB and relevant users. If you are using an existing database, enter the JDBC connection information.


  • If you get the following error, do the following


  • Go to SQL Server Configuration Manager > SQL Server Network Configuration > Protocols for MSSQLSERVER. Double click on TCP/IP and make sure under IPAll, you have the correct SQL Port number.


  • and you will get this box


  • Note: I had another SQL Instance using 1433 which I had to change to another port number then change my MSSQLSERVER Instance TCP Port to 1433. Note: Restart the relevant services following these changes
  • Also check the following setting. Go to SQL Server Configuration Manager > SQL Server Network Configuration > Right click on Protocols for MSSQLSERVER. Force encryption should be No at the moment


  • Enter the FQDN or IP address for the vCenter Single Sign-On host machine.


  • (Optional) Enter the SSPI service account information.


  • You can use the default Windows NetworkService account, or enter the account information for a administrator user. This step applies only if you logged in as a domain account user to install Single Sign-On.
  • Choose a destination folder for installation


  • Choose your SSL Port


  • Ready to Install > Click Install


Useful Video Walkthrough courtesy of Christopher Wahl


Installing VMware vCenter Server 5.1 using the Simple Install method

Architectural Changes

The vCenter Server 5.1 release includes significant architectural changes. You must understand these changes before attempting to freshly install or upgrade to vCenter Server 5.1 from older versions of the product. There are four separate services that constitute the vCenter Server 5.1 platform. These are below and must be installed in order

  • vCenter Single Sign On (SSO)
  • vCenter Inventory Service
  • vCenter Server
  • vSphere Web Client

Pre Requisites

Before installing vCenter Server 5.1, vSphere 5.1 requires you to install vCenter Single Sign On and install the Inventory Service. You can install vCenter Single Sign On, Inventory Service, and vCenter Server all on a single host machine using the vCenter Server Simple Install option. This option is appropriate for small deployments.

Alternatively, you can install vCenter Single Sign On, vCenter Inventory Service, and vCenter Server separately to customize the location and configuration of the components. (I found this to be the best way)

You also need Adobe Flash installed for the vSphere Web Client

If you are running vCenter as a Virtual Machine in Workstation then you will need at least 2GB RAM or more!


This blog will focus on installing vCenter Single Sign On, Inventory Service, and vCenter Server all on a single host machine running Windows Server 2008 R2 Enterprise


Note: It may be best to install each component separately. I encountered a few errors when I went through the Simple Install Method. See screenprint below


  • Download the ISO or installer from the VMware website
  • Make sure you have the .NET Framework installed
  • Attach the ISO or run the installer on your designated vCenter Server


  • Select VMware vCenter Server Simple Install and Click Install


  • Click Next


  • Click Next


  • Select I accept the terms in the license agreement and click Next


  • Put in a Strong Password and click Next. This is a local account not tied to AD or the Windows host. After SSO is installed, you can configure it for one or more LDAP/AD server and other identity sources.


  • For this demo, we will just be using the Express Instance


  • Put in the passwords for the RSA_USER and RSA_DBA accounts


  • The FQDN should be in here automatically. If you get an error saying nslookup cannot perform a lookup against this address then check your DNS server


  • Use Network Service Account or put in a Username and Password
  • Click Next


  • Choose the location to save into and click Next


  • Check HTTP Port


  •  Click Install and allow SQL DB to be installed and SSO
  • When this has finished you will get the screen below
  • Put in a license key or just click Next if you are using it in Evaluation Mode


  • Click Next


  • Click Next


  • Click Next


  • Click Next


  • Click Next


  • Click Install and then Finish
  • Install the vSphere 5 Web Client (Just follow the prompts)


  • Next check all the vCenter and Webservices and SSO are running


  • Install the vSphere 5 client


  • Make sure you have downloaded and installed Adobe Flash
  • Just a quick point, make sure your vCenter Server has +2GB RAM or things just don’t work very well especially if you are running SSO, Inventory and vCenter on the same box as a test
  • You also may need to adjust your firewall for port 9443
  • If you are running 5.1 rather than 5.0, it is best to log into the vSphere Web Client first before on https://localhost:9443/vsphere-client/ using your SSO Login admin@System-Domain + inital setup password before logging into the vSphere Web Admin Assistant on https://localhost:9443/admin-app or you will get an error such as the below
The vSphere Web Client Administration Tool only supports registration of vCenter
 Server version 5.0.  For newer versions, the vCenter Server system must be regi
stered with the Lookup Service to allow the vSphere Web Client to discover the s
  • Log into vSphere web client as admin (admin@System-Domain, this is the default user added during install of vcenter)
  • Go to Administration -> SSO Users and Groups
  • Go to Groups tab and click on __Administrators__
  • Click on the little man icon to Add Principals


  • Select the local vCenter server as the identity source and search for a local user. See Screenprint) you can add your Admins Group or any other group
  • Then add that user and click OK.
  • Log in as the local user.
  • You should see the vCenter listed after you log in, if not, you may need to reboot.


Useful VMware KB for troubleshooting known certificate error

SSO Issues (Cannot log in using Domain account to vClient etc)

  • Go to Administration
  • Single Sign On and Discovery > Configuration
  • Click the + sign to add a new identity source. E.g Active Directory Server.
  • Fill in as per your domain. Note my lab domain is dacmt.local


  • Click Test Connection
  • Wait for it to say Connection successful

connection good

  • Change the order of the domains so AD is at the top

Registering vCenter Server 5 (Not 5.1)

  • Log into the vSphere Web Admin Assistant on https://localhost:9443/admin-app


  • Click Register vCenter
  • Enter the vCenter FQDN
  • Enter the Username and Password
  • Enter the vCenter hostname


  • Click Register
  • Accept the certificate


Can you run vCenter 5 on Windows Servers 2012?

vCenter isn’t officially supported on Server 2012

What you will find is that the installation fails just before it tries to install the vSphere Profile-Driven Storage Service.

The reason why

To install that service, the vCenter service needs to be running. However, the vCenter service does not start properly in Windows Server 2012. This is due to a missing dependency. In particular, the VirtualCenter Server service relies on the ProtectedStorage service which was removed from Win8/Server 2012. The work around is the following open regedit and go to \System\CurrentControlSet\Services\vpxd and then open the DependOnService key and remove ProtectedStorage from the list. Reboot the machine and the vCenter service should come alive (might take a while). Then restart only the vCenter installation again once everything has come up (you need to wait for vCenter service to come alive which can take a few minutes). The install will continue from where it kicked off and finish

So the short version is, when the vCenter install fails, go to registry and remove ProtectedStorage dependency from the vpxd service, reboot and it should work. Restart the vcenter install and it will finish as per normal.

Optimization WordPress Plugins & Solutions by W3 EDGE