In this installment of the vCenter 5.1 installation series I’ll show you a few vCenter SSO Configuration changes that you will likely want to make. These steps are optional, but probably nearly everyone will want to implement some form of these changes. The two tweaks are setting the default login domain for SSO and the other is using an AD group to control admin rights to the SSO service and not rely on the default built-in account. Oh and let’s not forget licensing too!
Before we get started, listed below are the other related articles in this series:
Part 1 (SSO Service)
Part 2 (Create vCenter SSL Certificates)
Part 3 (Install vCenter SSO SSL Certificate)
Part 4 (Install Inventory Service)
Part 5 (Install Inventory Service SSL Certificate)
Part 6 (Create vCenter and VUM Databases)
Part 7 (Install vCenter Server)
Part 8 (Install Web Client)
Part 10 (Create VUM DSN)
Part 11 (Install VUM)
Part 12 (VUM SSL Configuration)
Part 13 (VUM Configuration)
Part 14 (Web Client and Log Browser SSL)
Part 15 (ESXi Host SSL Certificate)
vCenter SSO Configuration
1. Login to the vSphere Web Client with the SSO administrator credentials (admin@System-Domain). In the left pane click on Administration then click on Configuration under Sign-On and Discovery.
2. If you wish to reduce future sign in keystrokes you can add your Active Directory domain to the list of default SSO domains. To do that highlight your AD server URL then click on the blue dot with an arrow, as shown below.
3. Acknowledge any warning about possible locked out accounts, and you should now see your AD domain listed under default domains.
4. At this point you may want to add an AD-based group to the SSO administrator group, so you don’t have to remember, or share, the built-in admin account credentials. To do that click on SSO Users and Groups in the left pane. Click on the ___Administrators___ principal name then click on the person icon with the plus sign next to it.
5. Now I created a group in AD called APP_VCTR_SSO_Administrator and added my admin account to it. Use whatever group name suits your needs. Change the identity source to your domain name then enter the name of the AD group and click on Search. After a few seconds it should populate the fields, then click on Add. Finally click OK.
6. Log out of the vSphere web client, logoff Windows if needed to refresh your group membership, then then validate you can access the SSO configuration once you login to the Web Client.
7. You probably want to assign a license key to your vCenter server, otherwise after the grace period is up, it will be non-functional. In the web client, go back to the Home page in the left pane, then click on Administration.
8. Once that pane opens, click on Licenses. You can now input your licenses for vCenter and ESXi hosts. Don’t forget to assign the licenses to their respective products.
Next up is creating the VUM DSN, which is covered in Part 10.
Derek,
I Upgraded everything successfully. Did go through you documents thoroughly. I have few service accounts associated with AD which has special characters such as ^ & many more. Is there a document on this where vmware mentions about certain characters not being permitted for passwords. These accounts were working pre upgrade until 5.1.
Regards
Yogesh
Yogesh, I haven’t see any document stating which special characters are not allowed. I have seen other users report that the ^ symbol causes problems.
Great job with this Series. VMware dropped the ball with this release.
Thanks! I don’t think anyone would argue a few more months of QA would have been in order….seems very rushed to market.
Hallo, Derek!Thank you very much for your blog, it is very helpful in updating!There is another question, how to add Identity source local system? I issue the following error:”The” Add identity source “operation failed for the entity with the following error message.Invalid local OS domain details: Cannot configure a Local OS Identity Source on a Linked Mode Replication instance “
Any method to change it to SSO single mode? or any method to add local users to the vCenter permissions? ….
We are having the same problem, and are unable to log into vcenter. what was your resolution?
This has been a great tutorial! After following all of vMware’s upgrade guides, it seemed nothing worked and i had to roll back DB and version. It was a nightmare to say the least of an experience! I think by far this upgrade has been the biggest abortion vMware has ever released! Your guide at least helped me get everything working! All certs are working accept for the two that matter, which is Inventory and vCenter. I cannot get passed some of the errors and warnings no matter how many times i re-gen the certs. All in all i continue… Read more »
What about clicking “Log Browser” in the WebClient? I am getting the “Unauthorized access” Error. I’ve followed this Tutorial http://www.virtual-hike.com/2012/09/vsphere-web-client-logbrowser-unauthorized-access/ to troubleshoot, but I don’t get any further. As soon as I want to import the server-identity.jks file I am asked to enter the password that is in the server.xml file, but it’s incorrect. Anyone out there with the same problem or a solution to it?
I’m still working on how to get the Log Browser working. One of my readers has had success, but so far I haven’t had time to play with it.
Mate great article, even when VMware themselves refer us to your article. yes we did have quite a lot of hurdles to overcome, but with your blog and comments it was got us over the line a few times. Thanks again and keep it up as there are quite a few of us who refer to your blog.
Thanks and glad I could be of assistance? Still a few kinks to work out like the Log Viewer service..but making progress!
Hey Derek, great tutorial. I have one question though. I have successfully added our ServerAdmins group to the __Administrators__ group and can login to SSO using the accounts that are members of it. I also added another group as a test and I now canot remove the group from __Administrators__. The error is:
The “Delete group” operation failed for the entity with the following error message.
The specified principal (ADROLE-WorkstationAdmins) is invalid.
Same error here.
Question: If AD DCs are VMs. They were shutdown. How do we login through the WebClient or C# Client to turn them on? As the SSO will check the AD Group for user permissions to login but AD is down.
You can still log on locally to the ESXi host(s) running the domain controller VMs and start them from there if nothing else.
Hi Derek, great tutorial. I have a quick question. I have successfully installed vCenter but I can’t start vcenter service. After checking the logs I found the following error message:
error ‘Default’] [0] error:0906D06C:PEM routines:PEM_read_bio:no start line
error ‘Default’] [1] error:0906D06C:PEM routines:PEM_read_bio:no start line
error ‘Default’] [2] error:02001002:system library:fopen:No such file or directory
2012-11-11T20:28:27.266-08:00 [05164 error ‘Default’] [3] error:2006D080:BIO routines:BIO_new_file:no such file
2012-11-11T20:28:27.266-08:00 [05164 error ‘Default’] [4] error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
error ‘Default’] Failed to initialize the SSL context: SSL Exception: error:0906D06C:PEM routines:PEM_read_bio:no start line
Does anyone have any ideas?
I have the same error as Marcos:
[05096 info ‘Default’] Creating SSL Contexts
[05096 error ‘Default’] SSLContextImpl::SetVerifyLocations (0000000000000000) SSL_SetVerifyLocations failed. Dumping SSL error queue:
[05096 error ‘Default’] [0] error:0906D06C:PEM routines:PEM_read_bio:no start line
[05096 error ‘Default’] [1] error:0906D06C:PEM routines:PEM_read_bio:no start line
[05096 error ‘Default’] [2] error:02001002:system library:fopen:No such file or directory
[05096 error ‘Default’] [3] error:2006D080:BIO routines:BIO_new_file:no such file
[05096 error ‘Default’] [4] error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
[05096 error ‘Default’] Failed to initialize the SSL context: SSL Exception: error:0906D06C:PEM routines:PEM_read_bio:no start line
I’ll have a go tomorrow at generating the vcenter ssl certificates again and re-installing, hopefully that solves it.
I too had this error. I went to the C:\ProgramData\VMware\SSL directory and noticed I didn’t have a ca_certificates file. I did a search on the PC and found a copy in C:\ProgramData\VMware\backup. I copied it over to the C:\ProgramData\VMware\SSL directory, and I made 2 copies ca_certificats.cer and ca_certificates.crt. After this I was able to start the vcenter server service again.
I had the same errors as Chris and Marcos. No one has a solution for this yet? I’m trying a reinstall myself to see if that fixes it but it’s very odd.
I’m having a slightly different issue that I think must be simple. In the vSphere web Client, I do not see any options for “SSO Users and Groups” or for “Configuration” under sign-on and discovery. Can anyone point me in the right direction?
If someone would prefer to answer on ServerFault, I also have the question at ServerFault at http://serverfault.com/questions/453031/vcenter-5-1-sso-configuration-option-not-available-in-web-client
Thanks for this great series, Derek! First-time reader and you’re now definitely in my Google Reader. 🙂
logon on web client with admin@System-Domain, then go to Administration and you´ll see that options
Hi Derek, Just wondering about the difference between APP_VCTR_ALL_Administrator group accounts that you added during the vCenter installation and the APP_VCTR_SSO_Administrator added for the SSO. Correct me if I’m wrong, but I’m assuming that the ALL_Adminstrator group account is used to authorise the users that can access the vcenter, where SSO_Administrator is the group account that can manage both SSO AND vCenter server, given that the individual user account is in both ALL_Administrator and SSO_Administrator groups. Is there a way to replace / add additional group or user accounts that can access vcenter (in this case the APP_VCTR_ALL_Administrator group account)… Read more »
Great instruction set… Thanks.
This post helped me with my bio no start line error.
http://kb.vmware.com/selfservice/microsites/searc…