--
In Part 8 of my series we installed the vSphere Web Client and only performed minimal configuration changes. In this installment of the vCenter 5.1 installation series I'll show you a couple of basic, but probably common, configuration tweaks you can make to your SSO installation. These steps are optional, but probably nearly everyone will want to implement some form of these changes. The two tweaks are setting the default login domain for SSO and the other is using an AD group to control admin rights to the SSO service and not rely on the default built-in account.
Let's go to work!
1. Login to the vSphere Web Client with the SSO administrator credentials (admin@System-Domain). In the left pane click on Administration then click on Configuration under Sign-On and Discovery.
2. If you wish to reduce future sign in keystrokes you can add your Active Directory domain to the list of default SSO domains. To do that highlight your AD server URL then click on the blue dot with an arrow, as shown below.
3. Acknowledge any warning about possible locked out accounts, and you should now see your AD domain listed under default domains.
Important! Click on the blue disk icon to save your change, otherwise you will be wondering why it is not working as expected.
4. At this point you may want to add an AD-based group to the SSO administrator group, so you don't have to remember, or share, the built-in admin account credentials. To do that click on SSO Users and Groups in the left pane. Click on the ___Administrators___ principal name then click on the person icon with the plus sign next to it.
5. Now I created a group in AD called APP_VCTR_SSO_Administrator and added my admin account to it. Use whatever group name suits your needs. Change the identity source to your domain name then enter the name of the AD group and click on Search. After a few seconds it should populate the fields, then click on Add. Finally click OK.
6. Log out of the vSphere web client, logoff Windows if needed to refresh your group membership, then then validate you can access the SSO configuration once you login to the Web Client.
7. You probably want to assign a license key to your vCenter server, otherwise after the grace period is up, it will be non-functional. In the web client, go back to the Home page in the left pane, then click on Administration.
8. Once that pane opens, click on Licenses. You can now input your licenses for vCenter and ESXi hosts. Don't forget to assign the licenses to their respective products.
Next up is creating the VUM DSN, which is covered in Part 10.
Derek,
ReplyDeleteI Upgraded everything successfully. Did go through you documents thoroughly. I have few service accounts associated with AD which has special characters such as ^ & many more. Is there a document on this where vmware mentions about certain characters not being permitted for passwords. These accounts were working pre upgrade until 5.1.
Regards
Yogesh
Yogesh, I haven't see any document stating which special characters are not allowed. I have seen other users report that the ^ symbol causes problems.
DeleteDerek, I've been following along here on this wild ride. I've got to say this has been very much a documentation disaster. I guess VMware felt that we all wait for the first service pack to begin trying stuff out. I wanted to thank you for putting all this info out here. Even though I haven't been able to get everything working with certs, I have been able to get the web client working with a proper cert and this latest SSO change definitely makes things much easier. One thing, I missed when making this tweak, is that you need to click the little Disk icon to save the default domain changes. It's probably obvious to most but I missed it twice so I figured I'd mention it.
ReplyDeleteThanks for the tip about the blue disk icon. I updated the post with a screenshot and a warning.
DeleteGreat job with this Series. VMware dropped the ball with this release.
ReplyDeleteThanks! I don't think anyone would argue a few more months of QA would have been in order....seems very rushed to market.
DeleteHallo, Derek!
ReplyDeleteThank you very much for your blog, it is very helpful in updating!
There is another question, how to add Identity source local system? I issue the following error:
"The" Add identity source "operation failed for the entity with the following error message.
Invalid local OS domain details: Cannot configure a Local OS Identity Source on a Linked Mode Replication instance "
Did you install the SSO service for High Availability? If so, that may be preventing using local OS security identities.
DeleteAny method to change it to SSO single mode? or any method to add local users to the vCenter permissions? ....
DeleteThis has been a great tutorial! After following all of vMware's upgrade guides, it seemed nothing worked and i had to roll back DB and version. It was a nightmare to say the least of an experience! I think by far this upgrade has been the biggest abortion vMware has ever released! Your guide at least helped me get everything working! All certs are working accept for the two that matter, which is Inventory and vCenter. I cannot get passed some of the errors and warnings no matter how many times i re-gen the certs. All in all i continue to visit your tutorial everyday waiting for updates. I have submitted trouble tickets to vMware and they are stumped for 8 days now.
ReplyDeleteTHANK YOU!
What about clicking "Log Browser" in the WebClient? I am getting the "Unauthorized access" Error. I've followed this Tutorial http://www.virtual-hike.com/2012/09/vsphere-web-client-logbrowser-unauthorized-access/ to troubleshoot, but I don't get any further. As soon as I want to import the server-identity.jks file I am asked to enter the password that is in the server.xml file, but it's incorrect. Anyone out there with the same problem or a solution to it?
ReplyDeleteI'm still working on how to get the Log Browser working. One of my readers has had success, but so far I haven't had time to play with it.
DeleteThanks and glad I could be of assistance? Still a few kinks to work out like the Log Viewer service..but making progress!
ReplyDeleteHey Derek, great tutorial. I have one question though. I have successfully added our ServerAdmins group to the __Administrators__ group and can login to SSO using the accounts that are members of it. I also added another group as a test and I now canot remove the group from __Administrators__. The error is:
ReplyDeleteThe "Delete group" operation failed for the entity with the following error message.
The specified principal (ADROLE-WorkstationAdmins) is invalid.
I deleted the __Administrators__ group and re-added it without issue. I also deleted the other two groups and re-added them for testing purposes and haven't had any problems. This was the only way I could remove a group from the pre-populated vCenter groups.
DeleteI wouldn't recommend this in a production environment because I'm not sure if these groups are tracked internally with some SID (similar to Windows accounts) or GUID and recreating them assigns a new number. I don't know the internals of vCenter as much as I would like to.
Same error here.
ReplyDeleteThere`s no solution....KB: 2037102
ReplyDeleteError: The "Delete group" operation failed for the entity with the following error message. The specified principal (AD group) is invalid.
If you are attempting to remove a user principal, you do not see any errors, but the user is not removed from the group
Resolution
VMware is aware of this issue and is currently being investigated.
Question: If AD DCs are VMs. They were shutdown. How do we login through the WebClient or C# Client to turn them on? As the SSO will check the AD Group for user permissions to login but AD is down.
ReplyDeleteYou can still log on locally to the ESXi host(s) running the domain controller VMs and start them from there if nothing else.
DeleteHi Derek, great tutorial. I have a quick question. I have successfully installed vCenter but I can't start vcenter service. After checking the logs I found the following error message:
ReplyDeleteerror 'Default'] [0] error:0906D06C:PEM routines:PEM_read_bio:no start line
error 'Default'] [1] error:0906D06C:PEM routines:PEM_read_bio:no start line
error 'Default'] [2] error:02001002:system library:fopen:No such file or directory
2012-11-11T20:28:27.266-08:00 [05164 error 'Default'] [3] error:2006D080:BIO routines:BIO_new_file:no such file
2012-11-11T20:28:27.266-08:00 [05164 error 'Default'] [4] error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
error 'Default'] Failed to initialize the SSL context: SSL Exception: error:0906D06C:PEM routines:PEM_read_bio:no start line
Does anyone have any ideas?
I have the same error as Marcos:
ReplyDelete[05096 info 'Default'] Creating SSL Contexts
[05096 error 'Default'] SSLContextImpl::SetVerifyLocations (0000000000000000) SSL_SetVerifyLocations failed. Dumping SSL error queue:
[05096 error 'Default'] [0] error:0906D06C:PEM routines:PEM_read_bio:no start line
[05096 error 'Default'] [1] error:0906D06C:PEM routines:PEM_read_bio:no start line
[05096 error 'Default'] [2] error:02001002:system library:fopen:No such file or directory
[05096 error 'Default'] [3] error:2006D080:BIO routines:BIO_new_file:no such file
[05096 error 'Default'] [4] error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
[05096 error 'Default'] Failed to initialize the SSL context: SSL Exception: error:0906D06C:PEM routines:PEM_read_bio:no start line
I'll have a go tomorrow at generating the vcenter ssl certificates again and re-installing, hopefully that solves it.
I had this error as well. It looks like the error lies in the ca_certificats.cer file should actually be ca_certificates.crt. I left the cer file and copied it to crt and the error went away and vcenter started successfully.
DeleteI too had this error. I went to the C:\ProgramData\VMware\SSL directory and noticed I didn't have a ca_certificates file. I did a search on the PC and found a copy in C:\ProgramData\VMware\backup. I copied it over to the C:\ProgramData\VMware\SSL directory, and I made 2 copies ca_certificats.cer and ca_certificates.crt. After this I was able to start the vcenter server service again.
DeleteGreat article! We have about everything up and running but do have a question. Login after installing the plugin won't work. Users need to put @domain behind the username, otherwise SSO won't accept the login. Which makes the plugin useless and login an annoying process. I guess there must be a setting for this but haven't been able to find it.
ReplyDeleteDo you know the solution?
Regards, Eugène
I had the same errors as Chris and Marcos. No one has a solution for this yet? I'm trying a reinstall myself to see if that fixes it but it's very odd.
ReplyDeleteHi, Firstly, this is a great article and big ups to you Derek.
DeleteI resolved this error by following Anonymous poster to Chris and Marcos.
Make sure the ca_certificates.crt file has a crt extension and not cer and the 0 file also has a zero extension.
I spent all xmas trouble shooting and my wife almost divorced me..lol
I'm having a slightly different issue that I think must be simple. In the vSphere web Client, I do not see any options for "SSO Users and Groups" or for "Configuration" under sign-on and discovery. Can anyone point me in the right direction?
ReplyDeleteIf someone would prefer to answer on ServerFault, I also have the question at ServerFault at http://serverfault.com/questions/453031/vcenter-5-1-sso-configuration-option-not-available-in-web-client
Thanks for this great series, Derek! First-time reader and you're now definitely in my Google Reader. :)
Hello Sean,
DeleteI had the same problem and was able to get around it by logging into vSphere Web using "root".
Hope this helps.
logon on web client with admin@System-Domain, then go to Administration and you´ll see that options
DeleteHi Derek,
ReplyDeleteJust wondering about the difference between APP_VCTR_ALL_Administrator group accounts that you added during the vCenter installation and the APP_VCTR_SSO_Administrator added for the SSO.
Correct me if I'm wrong, but I'm assuming that the ALL_Adminstrator group account is used to authorise the users that can access the vcenter, where SSO_Administrator is the group account that can manage both SSO AND vCenter server, given that the individual user account is in both ALL_Administrator and SSO_Administrator groups.
Is there a way to replace / add additional group or user accounts that can access vcenter (in this case the APP_VCTR_ALL_Administrator group account) ?
Sorry if I'm confusing anyone with the question.
Cheers,
Michael