vCenter 5.1 U1 Installation: Part 9 (vCenter SSO Configuration)

In this installment of the vCenter 5.1 installation series I’ll show you a few vCenter SSO Configuration changes that you will likely want to make. These steps are optional, but probably nearly everyone will want to implement some form of these changes. The two tweaks are setting the default login domain for SSO and the other is using an AD group to control admin rights to the SSO service and not rely on the default built-in account. Oh and let’s not forget licensing too!

Before we get started, listed below are the other related articles in this series:

Part 1 (SSO Service)
Part 2 (Create vCenter SSL Certificates)
Part 3 (Install vCenter SSO SSL Certificate)
Part 4 (Install Inventory Service)
Part 5 (Install Inventory Service SSL Certificate)
Part 6 (Create vCenter and VUM Databases)
Part 7 (Install vCenter Server)
Part 8 (Install Web Client)
Part 10 (Create VUM DSN)
Part 11 (Install VUM)
Part 12 (VUM SSL Configuration)
Part 13 (VUM Configuration)
Part 14 (Web Client and Log Browser SSL)
Part 15 (ESXi Host SSL Certificate)

vCenter SSO Configuration

1. Login to the vSphere Web Client with the SSO administrator credentials (admin@System-Domain). In the left pane click on Administration then click on Configuration under Sign-On and Discovery.

2. If you wish to reduce future sign in keystrokes you can add your Active Directory domain to the list of default SSO domains. To do that highlight your AD server URL then click on the blue dot with an arrow, as shown below.

3. Acknowledge any warning about possible locked out accounts, and you should now see your AD domain listed under default domains.

Important! Click on the blue disk icon to save your change, otherwise you will be wondering why it is not working as expected.

4. At this point you may want to add an AD-based group to the SSO administrator group, so you don’t have to remember, or share, the built-in admin account credentials. To do that click on SSO Users and Groups in the left pane. Click on the ___Administrators___ principal name then click on the person icon with the plus sign next to it.

5. Now I created a group in AD called APP_VCTR_SSO_Administrator and added my admin account to it. Use whatever group name suits your needs. Change the identity source to your domain name then enter the name of the AD group and click on Search. After a few seconds it should populate the fields, then click on Add. Finally click OK.

6. Log out of the vSphere web client, logoff Windows if needed to refresh your group membership, then then validate you can access the SSO configuration once you login to the Web Client.

7. You probably want to assign a license key to your vCenter server, otherwise after the grace period is up, it will be non-functional. In the web client, go back to the Home page in the left pane, then click on Administration.

8. Once that pane opens, click on Licenses. You can now input your licenses for vCenter and ESXi hosts. Don’t forget to assign the licenses to their respective products.

Next up is creating the VUM DSN, which is covered in Part 10.

Print Friendly, PDF & Email

Related Posts

Notify of
Newest Most Voted
Inline Feedbacks
View all comments
September 23, 2012 11:31 am


I Upgraded everything successfully. Did go through you documents thoroughly. I have few service accounts associated with AD which has special characters such as ^ & many more. Is there a document on this where vmware mentions about certain characters not being permitted for passwords. These accounts were working pre upgrade until 5.1.


Reply to  Yogesh Mulay

Yogesh, I haven’t see any document stating which special characters are not allowed. I have seen other users report that the ^ symbol causes problems.

September 26, 2012 5:50 pm

Great job with this Series. VMware dropped the ball with this release.

Reply to  Anonymous

Thanks! I don’t think anyone would argue a few more months of QA would have been in order….seems very rushed to market.

October 1, 2012 2:56 am

Hallo, Derek!Thank you very much for your blog, it is very helpful in updating!There is another question, how to add Identity source local system? I issue the following error:”The” Add identity source “operation failed for the entity with the following error message.Invalid local OS domain details: Cannot configure a Local OS Identity Source on a Linked Mode Replication instance “

February 12, 2013 3:47 am
Reply to  Denis Kishko

Any method to change it to SSO single mode? or any method to add local users to the vCenter permissions? ….

Melissa Aller
August 27, 2013 5:50 am
Reply to  Anonymous

We are having the same problem, and are unable to log into vcenter. what was your resolution?

October 1, 2012 4:17 am

This has been a great tutorial! After following all of vMware’s upgrade guides, it seemed nothing worked and i had to roll back DB and version. It was a nightmare to say the least of an experience! I think by far this upgrade has been the biggest abortion vMware has ever released! Your guide at least helped me get everything working! All certs are working accept for the two that matter, which is Inventory and vCenter. I cannot get passed some of the errors and warnings no matter how many times i re-gen the certs. All in all i continue… Read more »

October 2, 2012 3:44 am

What about clicking “Log Browser” in the WebClient? I am getting the “Unauthorized access” Error. I’ve followed this Tutorial to troubleshoot, but I don’t get any further. As soon as I want to import the server-identity.jks file I am asked to enter the password that is in the server.xml file, but it’s incorrect. Anyone out there with the same problem or a solution to it?

Reply to  Simon

I’m still working on how to get the Log Browser working. One of my readers has had success, but so far I haven’t had time to play with it.

October 2, 2012 7:44 pm

Mate great article, even when VMware themselves refer us to your article. yes we did have quite a lot of hurdles to overcome, but with your blog and comments it was got us over the line a few times. Thanks again and keep it up as there are quite a few of us who refer to your blog.

Reply to  Sajid Siddiqui

Thanks and glad I could be of assistance? Still a few kinks to work out like the Log Viewer service..but making progress!

October 8, 2012 2:59 am

Hey Derek, great tutorial. I have one question though. I have successfully added our ServerAdmins group to the __Administrators__ group and can login to SSO using the accounts that are members of it. I also added another group as a test and I now canot remove the group from __Administrators__. The error is:

The “Delete group” operation failed for the entity with the following error message.

The specified principal (ADROLE-WorkstationAdmins) is invalid.

October 9, 2012 11:10 pm

Same error here.

November 9, 2012 2:45 pm

Question: If AD DCs are VMs. They were shutdown. How do we login through the WebClient or C# Client to turn them on? As the SSO will check the AD Group for user permissions to login but AD is down.

December 11, 2012 10:33 am
Reply to  Anonymous

You can still log on locally to the ESXi host(s) running the domain controller VMs and start them from there if nothing else.

November 11, 2012 8:38 pm

Hi Derek, great tutorial. I have a quick question. I have successfully installed vCenter but I can’t start vcenter service. After checking the logs I found the following error message:
error ‘Default’] [0] error:0906D06C:PEM routines:PEM_read_bio:no start line
error ‘Default’] [1] error:0906D06C:PEM routines:PEM_read_bio:no start line
error ‘Default’] [2] error:02001002:system library:fopen:No such file or directory
2012-11-11T20:28:27.266-08:00 [05164 error ‘Default’] [3] error:2006D080:BIO routines:BIO_new_file:no such file
2012-11-11T20:28:27.266-08:00 [05164 error ‘Default’] [4] error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
error ‘Default’] Failed to initialize the SSL context: SSL Exception: error:0906D06C:PEM routines:PEM_read_bio:no start line
Does anyone have any ideas?

November 12, 2012 9:09 pm

I have the same error as Marcos:

[05096 info ‘Default’] Creating SSL Contexts
[05096 error ‘Default’] SSLContextImpl::SetVerifyLocations (0000000000000000) SSL_SetVerifyLocations failed. Dumping SSL error queue:
[05096 error ‘Default’] [0] error:0906D06C:PEM routines:PEM_read_bio:no start line
[05096 error ‘Default’] [1] error:0906D06C:PEM routines:PEM_read_bio:no start line
[05096 error ‘Default’] [2] error:02001002:system library:fopen:No such file or directory
[05096 error ‘Default’] [3] error:2006D080:BIO routines:BIO_new_file:no such file
[05096 error ‘Default’] [4] error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
[05096 error ‘Default’] Failed to initialize the SSL context: SSL Exception: error:0906D06C:PEM routines:PEM_read_bio:no start line

I’ll have a go tomorrow at generating the vcenter ssl certificates again and re-installing, hopefully that solves it.

December 31, 2012 4:17 pm
Reply to  Chris

I too had this error. I went to the C:\ProgramData\VMware\SSL directory and noticed I didn’t have a ca_certificates file. I did a search on the PC and found a copy in C:\ProgramData\VMware\backup. I copied it over to the C:\ProgramData\VMware\SSL directory, and I made 2 copies ca_certificats.cer and ca_certificates.crt. After this I was able to start the vcenter server service again.

November 20, 2012 5:08 am

I had the same errors as Chris and Marcos. No one has a solution for this yet? I’m trying a reinstall myself to see if that fixes it but it’s very odd.

November 28, 2012 6:46 am

I’m having a slightly different issue that I think must be simple. In the vSphere web Client, I do not see any options for “SSO Users and Groups” or for “Configuration” under sign-on and discovery. Can anyone point me in the right direction?

If someone would prefer to answer on ServerFault, I also have the question at ServerFault at

Thanks for this great series, Derek! First-time reader and you’re now definitely in my Google Reader. 🙂

February 12, 2013 3:32 am
Reply to  Sean Killeen

logon on web client with admin@System-Domain, then go to Administration and you´ll see that options

February 13, 2013 5:28 pm

Hi Derek, Just wondering about the difference between APP_VCTR_ALL_Administrator group accounts that you added during the vCenter installation and the APP_VCTR_SSO_Administrator added for the SSO. Correct me if I’m wrong, but I’m assuming that the ALL_Adminstrator group account is used to authorise the users that can access the vcenter, where SSO_Administrator is the group account that can manage both SSO AND vCenter server, given that the individual user account is in both ALL_Administrator and SSO_Administrator groups. Is there a way to replace / add additional group or user accounts that can access vcenter (in this case the APP_VCTR_ALL_Administrator group account)… Read more »

June 9, 2013 4:15 am

Great instruction set… Thanks.

February 10, 2015 6:21 pm

This post helped me with my bio no start line error.