vSphere vCenter Single Sign-on
Best Practices
Josh Gray, VMware
Justin King, VMware
Jonathan McDonald, VMware
VSVC5635
#VS...
2
vSphere Deployment Best Practices – vCenter Server 5.1
 What is vCenter Single Sign-On
 vCenter Single Sign-On 5.1
• A...
3
vSphere Deployment Best Practices – vCenter Server 5.1
 What is vCenter Single Sign-On
 vCenter Single Sign-On 5.1
• A...
4
What is: vCenter Single Sign-On Server
 Provides Secure Token Exchange
(SAML 2.0) between solutions
 When you access a...
5
What Components Have Integrated With SSO?
Inventory
Service
Web Client
vCenter
SSO
VCO Log
Browser
VSM
VCD *
SRM
VCOPS
V...
6
How Does vCenter Single Sign On Work?
AD
(Domain 1)
AD
(Domain 1)
Open
LDAP
Web Client
Login
(user, pswd)
1 Issue Token
...
7
vCenter Single Sign On Server
 Registry of Single Sign-On
enabled solutions
 One time manual registration of
vCenter 5...
8
vSphere Deployment Best Practices – vCenter Server 5.1
 What is vCenter Single Sign-On
 vCenter Single Sign-On 5.1
• A...
9
vCenter Single Sign-On 5.1 Configurations
Basic vCenter Single Sign-On
VC Database
SSO Database
vCenter Server Host or V...
10
vCenter Single Sign-On 5.1 Configurations
Primary vCenter Single Sign-On
 Used for advanced configurations
• vCenter S...
11
vCenter Single Sign-On 5.1 Configurations
vCenter Single Sign-On
HA Backup (SSO HA)
 Third Party Load Balancer +
confi...
12
Local
Databases
vCenter Server
vCenter
Server
vCenter Server
vCenter
Server
Inventory Svc
vCenter Server
vCenter
Server...
13
vCenter Single Sign-On Database
1. vCenter Single Sign-On
• Hard naming requirements (RSA)
• Schema Scripts provided on...
14
15
vSphere Deployment Best Practices – vCenter Server 5.1
 What is vCenter Single Sign-On
 vCenter Single Sign-On 5.1
• ...
16
Single vCenter Server Design Recommendation
VC Database
SSO Database
vCenter Server Host or VM
vCenter
Server
Basic SSO...
17
Multiple Remote vCenter Server Design Recommendations
 Multiple single vCenter Server design
 Each site is independen...
18
Multiple Local vCenter Server Design Recommendations
 Centralized SSO authentication
• Same Physical location
• Metrop...
19
vSphere Deployment Best Practices – vCenter Server 5.1
 What is vCenter Single Sign-On
 vCenter Single Sign-On 5.1
• ...
20
Common Issues – Login Problem / Failures
 Login problems are the primary problem we see with SSO
 Fall into several b...
21
Common Issues – Login Problems / Failures (2)
• Login fails with credentials not valid error
• Common Causes
• Incorrec...
22
Common Issues – Login Problems / Failures (3)
• Login fails for admin@system-domain
• Similar to regular account failur...
23
Best Practices for Login Problems / Failures
 Ensure that SSO service is started and that other teams announce
any mai...
24
Common Issues – Domain trusts
 5.1 GA, A, B – No domain trusts function.
• Many domain topologies exist
 VMware Devel...
25
Common issues - Permissions
 As long as authentication is successful permissions can cause
unexpected problems after l...
26
Common issues – Permissions (2)
 Cause for this is that roles are by default separated
 vCenter log (vpxd.log) will s...
27
Best Practices – Permissions
 Configure a domain group for access by default rather than a user
• This will ensure tha...
28
Best Practice - Local OS Accounts
 Recommendation: Move the use of local OS accounts in vCenter to
SSO identity source...
29
Common Issues - Certificates
 Certificates are used for security for SSO
• All VMware components use certificates for ...
30
Common Issues – Certificates (2)
 Replacing the certificates difficult due to the number of steps
 VMware engineering...
31
Create SSO Database
 Recommendation: Create the SSO database prior to installation
 Benefit: You will be asked to con...
32
Configure SSO Before Upgrading vCenter Server
 Recommendation: When upgrading, install SSO then web client
before othe...
33
vCenter Server – Availability
 Recommendation: Protect the vCenter Suite, not individual
components
 Benefit: If high...
34
vSphere Deployment Best Practices – vCenter Server 5.1
 What is vCenter Single Sign-On
 vCenter Single Sign-On 5.1
• ...
35
Challenges with vCenter Single Sign-On 5.1
 Active Directory Integration
• Does not work effectively in multi-forest /...
36
vSphere Deployment Best Practices – vCenter Server 5.1
 What is vCenter Single Sign-On
 vCenter Single Sign-On 5.1
• ...
37
What's New with vCenter Single Sign-On 5.5 (in short)
 Improved architecture
• Multi-master
• Built-in replication
• S...
38
vCenter Single Sign-On 5.5 - Installation
 Prerequisites
• Hostname has a FQDN an
is DNS resolvable (forward/reverse)
...
39
vCenter Single Sign-On 5.5 - Installation
 Simple Installer
• single vCenter Server environments
 Individual installe...
40
Supports Upgrade of all vCenter 5.1 configurations
Previous vCenter Single Sign-On 5.1 deployment models
• Fully Mainta...
41
Types of Identity Sources
What is an identity source?
An external domain or repository of users and groups
Identity Sou...
42
Diagnostics
 vCenter Single Sign-On 5.5 Diagnostic Tools
 Perform all administration and reconfiguration from MMC Sna...
43
Replication
 Builtin Replication
• Between each Single Sign-On server deployed in the same vSphere
authentication doma...
44
Backup / Restore / Availability
 Backup / Restore
• Virtual Machine**
• Snapshot
• Tape / Disk
• vDP (now supports hos...
45
The log files provided by Single Sign On includes:
 vminst.log: Single Sign On installer log
 vim-sso-msi.log: MSI in...
46
Additional Information
 Deprecated Functionality
• NIS Identity Source
• More than one default domain per Identity Pro...
47
Single vCenter Server 5.5 Design Recommendation
VC Database
vCenter Server Host or VM
vCenter
Server
SSO
Server
Web Cli...
48
Multiple vCenter Server 5.5 (Remote) Design Recommendation
By Default
 Each site is independent
 Does not provide a s...
49
SSO
Server
Web Client
Multiple vCenter Server 5.5 (Local) Design Recommendations
A Datacenter with 6 or more vCenter Se...
50
The Possibilities are Endless…
50
New York
Los Angeles
Miami
51
Thank You
Stay up to date with vCenter Server
http://blogs.vmware.com/vsphere/
@vCenterGuy @jasper9
THANK YOU
vSphere vCenter Single Sign-on
Best Practices
Josh Gray, VMware
Justin King, VMware
Jonathan McDonald, VMware
VSVC5635
#VS...
VMworld 2013: vSphere vCenter Single Sign-on Best Practices
Upcoming SlideShare
Loading in …5
×

VMworld 2013: vSphere vCenter Single Sign-on Best Practices

6,341 views

Published on

VMworld 2013

Josh Gray, VMware
Justin King, VMware
Jonathan McDonald, VMware

Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
6,341
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
110
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

VMworld 2013: vSphere vCenter Single Sign-on Best Practices

  1. 1. vSphere vCenter Single Sign-on Best Practices Josh Gray, VMware Justin King, VMware Jonathan McDonald, VMware VSVC5635 #VSVC5635
  2. 2. 2 vSphere Deployment Best Practices – vCenter Server 5.1  What is vCenter Single Sign-On  vCenter Single Sign-On 5.1 • Architecture • Deployment Configurations • Database • 5.1 Architectural References • Single vCenter Server • Multiple vCenter Servers (Local) • Multiple vCenter Servers (Remote)  Deployment Best Practices and Recommendations • Deployment / Installation / Upgrading / Availability  Challenges / Lesson Learned with Single Sign-On 5.1  vCenter Single Sign-On 5.5 (NEW) • What's New with vCenter Single Sign-On 5.5 • Deployment Configurations
  3. 3. 3 vSphere Deployment Best Practices – vCenter Server 5.1  What is vCenter Single Sign-On  vCenter Single Sign-On 5.1 • Architecture • Deployment Configurations • Database • 5.1 Architectural References • Single vCenter Server • Multiple vCenter Servers (Local) • Multiple vCenter Servers (Remote)  Deployment Best Practices and Recommendations • Deployment / Installation / Upgrading / Availability  Challenges / Lesson Learned with Single Sign-On 5.1  vCenter Single Sign-On 5.5 (NEW) • What's New with vCenter Single Sign-On 5.5 • Deployment Configurations
  4. 4. 4 What is: vCenter Single Sign-On Server  Provides Secure Token Exchange (SAML 2.0) between solutions  When you access an SSO enabled solution the solution will request an extension to SAML 2.0 Token TTL  First component to touch (regardless or install/upgrade)  Design before implementing!! vCloud Director vCenter vCO vCenter Single Sign On (SSO)  Authentication Services for the vSphere Platform  A component of vCenter Server  vCenter Single Sign-On creates an authentication domain where users are trusted to access available resources (vCenter etc) • no longer log into vCenter directly*  Multiple identity sources (Active Directory, OpenLDAP etc)
  5. 5. 5 What Components Have Integrated With SSO? Inventory Service Web Client vCenter SSO VCO Log Browser VSM VCD * SRM VCOPS VDP Others Partners 2013 2014 * VCD is partially integrated with SSO, only provider side logins can be integrated with SSO
  6. 6. 6 How Does vCenter Single Sign On Work? AD (Domain 1) AD (Domain 1) Open LDAP Web Client Login (user, pswd) 1 Issue Token (user, pswd) 2 Authenticate3 Token 4 vCenter 1 vCenter 2 VCO vShield vCloud Director Login (Token) Login (Token) Login (Token) Login (Token) Login (Token) 5 6 7 8 9 Local OSvCenter Single Sign On Data OS Authenticate SSO users 3 Authenticate Local OS users 3
  7. 7. 7 vCenter Single Sign On Server  Registry of Single Sign-On enabled solutions  One time manual registration of vCenter 5.0 needed for discovery by vSphere Web Client. (5.1 Only)  Linked Mode required to provided a single pane of glass view across geographically separate vCenter’s  Linked Mode: • Sharing of Permissions • Sharing of Roles • Sharing of Licenses
  8. 8. 8 vSphere Deployment Best Practices – vCenter Server 5.1  What is vCenter Single Sign-On  vCenter Single Sign-On 5.1 • Architecture • Deployment Configurations • Database • 5.1 Architectural References • Single vCenter Server • Multiple vCenter Servers (Local) • Multiple vCenter Servers (Remote)  Deployment Best Practices and Recommendations • Deployment / Installation / Upgrading / Availability  Challenges / Lesson Learned with Single Sign-On 5.1  vCenter Single Sign-On 5.5 (NEW) • What's New with vCenter Single Sign-On 5.5 • Deployment Configurations
  9. 9. 9 vCenter Single Sign-On 5.1 Configurations Basic vCenter Single Sign-On VC Database SSO Database vCenter Server Host or VM vCenter Server Web Client Inventory Svc SSO Server (Basic)  Most common deployment option (VMware recommended)  This is a single standalone instance of the SSO server that supports the connectivity of Active Directory, OpenLDAP, Local Operating System and SSO embedded users and groups  This typically would be local to the vCenter Server  Used by the vCenter Server Simple Install option  Preinstalled with the vCenter Server Appliance
  10. 10. 10 vCenter Single Sign-On 5.1 Configurations Primary vCenter Single Sign-On  Used for advanced configurations • vCenter SSO High Availability (SSO HA) • Local Copy at Remote Sites (Multisite)  Installable version of SSO (Windows Only)  Selected with the Individual Installer  Supports the connectivity of • Active Directory • OpenLDAP • SSO embedded users and groups  Does not support the use of local operating system user accounts  Only one Primary node can exist in a single SSO environment Database vCenter Server Host or VM vCenter Server Web Client Inventory Svc SSO Server (Primary)
  11. 11. 11 vCenter Single Sign-On 5.1 Configurations vCenter Single Sign-On HA Backup (SSO HA)  Third Party Load Balancer + configuration + Support  Complex to setup • Update SSL certificates • Repointing of vCenter components  No Protection of Shared Database  Limited Functionality when failed over • Administration lost • No service restarts  Availability – Same as vCenter Server • vSphere HA, vCenter HeartbeatShared Database Host or VM SSO Server (Primary) Load Balancer Host or VM SSO Server (HABackup)  Provides failover of vCenter SSO server  Centralized vCenter SSO server for multiple local vCenter Servers  Select with the Individual InstallervCenter Server 2 vCenter Server Web Client Inventory Svc vCenter Server 1 vCenter Server Web Client Inventory Svc
  12. 12. 12 Local Databases vCenter Server vCenter Server vCenter Server vCenter Server Inventory Svc vCenter Server vCenter Server New York Los Angeles Miami Multi Site SSO Server Web Client Inventory Svc Multi Site SSO Server Web Client Inventory Svc Primary SSO Server Web Client Inventory Svc vCenter Single Sign-On 5.1 Configurations vCenter Single Sign-On MultiSite  Local Authentication • Removes additional risk (WAN) • Maintains same SSO security domain  Required for Linked Mode  Selected with the Individual Installer  Does not provide site redundancy  Manual Steps required to maintain synchronization of SSO users/groups/polices etc 1. Install Primary SSO in NY 2. Install IS, VC in NY 3. Install Multisite SSO in LA 4. Replicate SSO from NY to LA 5. Install IS, VC in LA 6. Replicate SSO in LA to NY 7. Repeat steps 3-6 for each site
  13. 13. 13 vCenter Single Sign-On Database 1. vCenter Single Sign-On • Hard naming requirements (RSA) • Schema Scripts provided on ISO • SQL Authentication required • JDBC connection Supported Databases • Oracle • Oracle 10g (rel2) / Oracle 11g (rel1-rel2) • Microsoft SQL Server • SQL Server 2005 (SP4) / 2008 (SP1-SP3) / 2008 R2 (SP1-SP2) / SQL Server 2012 • Embedded vPostgres (vCenter Appliance only)
  14. 14. 14
  15. 15. 15 vSphere Deployment Best Practices – vCenter Server 5.1  What is vCenter Single Sign-On  vCenter Single Sign-On 5.1 • Architecture • Deployment Configurations • Database • 5.1 Architectural References • Single vCenter Server • Multiple vCenter Servers (Local) • Multiple vCenter Servers (Remote)  Deployment Best Practices and Recommendations • Deployment / Installation / Upgrading / Availability  Challenges / Lesson Learned with Single Sign-On 5.1  vCenter Single Sign-On 5.5 (NEW) • What's New with vCenter Single Sign-On 5.5 • Deployment Configurations
  16. 16. 16 Single vCenter Server Design Recommendation VC Database SSO Database vCenter Server Host or VM vCenter Server Basic SSO Server Web Client Inventory Svc Use Simple Installer Installs / Upgrades core components with a single virtual machine 1. vCenter Single Sign-On 2. vCenter Inventory Service 3. vCenter Server 4. Additional install: vSphere Web Client  No change to architecture  All services are local  Supports 1-1000 Hosts / 1- 10,000 Virtual Machines  Distributed model adds unnecessary complexity and recovery challenges
  17. 17. 17 Multiple Remote vCenter Server Design Recommendations  Multiple single vCenter Server design  Each site is independent  No single pane of glass view  Linked Mode  Maintains single pane of glass  Replicates Licenses, permissions and roles  Availability  vSphere HA  vCenter Heartbeat Local Databases vCenter Server vCenter Server vCenter Server vCenter Server Inventory Svc vCenter Server vCenter Server New York Los Angeles Miami Multi Site SSO Server Web Client Inventory Svc Multi Site SSO Server Web Client Inventory Svc Primary SSO Server Web Client Inventory Svc vCenter Server vCenter Server New York vCenter Server vCenter Server Miami vCenter Server vCenter Server Basic SSO Server Web Client Inventory Svc Los Angeles Basic SSO Server Web Client Inventory Svc Basic SSO Server Web Client Inventory Svc
  18. 18. 18 Multiple Local vCenter Server Design Recommendations  Centralized SSO authentication • Same Physical location • Metropolitan / College Campus  Single Centralized vSphere Web Client  Availability (Required) • vSphere HA • vCenter Heartbeat Simple with full functionality 18 vCenter Server 2 vCenter Server Inventory Svc Local SSO Database Basic SSO Server Web Client Database Server VCDB1,VCDB2,VCDB3 vCenter Server 2 vCenter Server Inventory Svc vCenter Server 2 vCenter Server Inventory Svc
  19. 19. 19 vSphere Deployment Best Practices – vCenter Server 5.1  What is vCenter Single Sign-On  vCenter Single Sign-On 5.1 • Architecture • Deployment Configurations • Database • 5.1 Architectural References • Single vCenter Server • Multiple vCenter Servers (Local) • Multiple vCenter Servers (Remote)  Deployment Best Practices and Recommendations • Deployment / Installation / Upgrading / Availability  Challenges / Lesson Learned with Single Sign-On 5.1  vCenter Single Sign-On 5.5 (NEW) • What's New with vCenter Single Sign-On 5.5 • Deployment Configurations
  20. 20. 20 Common Issues – Login Problem / Failures  Login problems are the primary problem we see with SSO  Fall into several basic categories • Login fails with an STS error: • Common Causes/ troubleshooting: • vCenter SSO Service is not accessible – check networking • vCenter SSO Service is down – check services configuration • If the service cannot start: • Commonly it is database related – Check SQL connectivity and availability • Validate that passwords have not expired or changed • check imsTrace.log for errors relating
  21. 21. 21 Common Issues – Login Problems / Failures (2) • Login fails with credentials not valid error • Common Causes • Incorrect username or password specified • Incorrect qualifying domain (@system-domain in this case) specified • Password has expired – reset the password on the account. • Account disabled or locked • If none of these are working, check imsTrace.log to validate the error message for the login
  22. 22. 22 Common Issues – Login Problems / Failures (3) • Login fails for admin@system-domain • Similar to regular account failures. • Use the following KB to reset or unlocked from the following KB: Unlocking and resetting the vCenter Single Sign On (SSO) administrator password: http://kb.vmware.com/kb/2034608 • Example command line usage from the KB: • Always requires the master password. If lost, a reinstall is required. • To change the master password the following command can be used:
  23. 23. 23 Best Practices for Login Problems / Failures  Ensure that SSO service is started and that other teams announce any maintenance that is occurring • Most problems that GSS sees here are related to service being inaccessible • This includes Database and more importantly networking  Always make sure that the admin@system-domain master password is recorded • This is the password which is set during the initial installation • As long as you have the master password, there is a way to get into the system • Think of this password as one which is similar to an Active Directory recovery password
  24. 24. 24 Common Issues – Domain trusts  5.1 GA, A, B – No domain trusts function. • Many domain topologies exist  VMware Development working to ensure that all trusts are available and function with SSO  Cause: • SSO 5.1.x uses LDAP binds rather than native Windows API calls
  25. 25. 25 Common issues - Permissions  As long as authentication is successful permissions can cause unexpected problems after login completes  SSO administrator is admin@system-domain  vCenter administrator is whatever is specified in the installer • By default this will be the administrators group on the vCenter server  If you don’t have permissions you may see:
  26. 26. 26 Common issues – Permissions (2)  Cause for this is that roles are by default separated  vCenter log (vpxd.log) will show a vim.fault.NoPermission error  Login with the appropriate administrator account and add permissions if desired
  27. 27. 27 Best Practices – Permissions  Configure a domain group for access by default rather than a user • This will ensure that many users have access rather than a single user • Allows for other users to still login if an account is locked out inadvertently  Be sure to note down the group that was configured as the administrator access to vCenter during installation • With the vCenter linux appliance root has access by default  Add additional SSO administrators other than admin@system- domain • By adding separate users if an account expires, you can unlock the account by logging in with another user account
  28. 28. 28 Best Practice - Local OS Accounts  Recommendation: Move the use of local OS accounts in vCenter to SSO identity sources or embedded SSO user accounts  Benefit: Depending on the architecture deployed the use of local OS accounts will more than likely be unavailable to vCenter server  Tip: Setup a local SSO group and add AD/SSO users and or groups and apply vCenter permissions to the SSO group
  29. 29. 29 Common Issues - Certificates  Certificates are used for security for SSO • All VMware components use certificates for communication • If a certificate is invalid or expired, SSO will reject communication • All services which are registered into SSO need a valid certificate  Installs to vCenter 5.1, will fail if the certificate is invalid when upgrading • The following certificates need to be VALID to successfully upgrade to 5.1 • SSO • Inventory Service • vCenter • More information on this in KB: Upgrading to vCenter Server 5.1 fails with the error: Certificate already expired (2035413)
  30. 30. 30 Common Issues – Certificates (2)  Replacing the certificates difficult due to the number of steps  VMware engineering recognized the difficulty introduced and released the SSL Certificate Automation Tool • Automates the installation and configuration of new certificates • KB to the tool: Deploying and using the SSL Certificate Automation Tool (2041600)  Not a certificate authority • Will generate the certificates requests and install the resulting certificates • Will not generate the certificate, admin has to get this from the CA still
  31. 31. 31 Create SSO Database  Recommendation: Create the SSO database prior to installation  Benefit: You will be asked to connect to the database during SSO install otherwise you will not be able to continue  Tip: Use the scripts provided on the vCenter ISO, make sure you edit them with database location and user account passwords before executing
  32. 32. 32 Configure SSO Before Upgrading vCenter Server  Recommendation: When upgrading, install SSO then web client before other components  Benefit: This will allow you to preconfigure the identity sources prior to vCenter upgrade and eliminate any login risks post install  Tip: Add a domain user as an SSO admin, log out and in as the user to confirm configuration before proceeding
  33. 33. 33 vCenter Server – Availability  Recommendation: Protect the vCenter Suite, not individual components  Benefit: If high availability is desired use a solution that protects all components to maintain dependencies  Tip: vSphere HA and vCenter Heartbeat can protect all components whether distributed or local with same license. vDP 5.5 also restores without vCenter and also can be used
  34. 34. 34 vSphere Deployment Best Practices – vCenter Server 5.1  What is vCenter Single Sign-On  vCenter Single Sign-On 5.1 • Architecture • Deployment Configurations • Database • 5.1 Architectural References • Single vCenter Server • Multiple vCenter Servers (Local) • Multiple vCenter Servers (Remote)  Deployment Best Practices and Recommendations • Deployment / Installation / Upgrading / Availability  Challenges / Lesson Learned with Single Sign-On 5.1  vCenter Single Sign-On 5.5 (NEW) • What's New with vCenter Single Sign-On 5.5 • Deployment Configurations
  35. 35. 35 Challenges with vCenter Single Sign-On 5.1  Active Directory Integration • Does not work effectively in multi-forest / trusted domain environments • Does not scale in environments with 15K or greater users • Administration is limited  Certificates • SSL communications challenging • Difficult to change / update  Installation • Database requirements / security concerns • Many installable configurations • Difficult to change / reconfigure post install • Complex  Diagnostics • Troubleshooting tools – non existent
  36. 36. 36 vSphere Deployment Best Practices – vCenter Server 5.1  What is vCenter Single Sign-On  vCenter Single Sign-On 5.1 • Architecture • Deployment Configurations • Database • 5.1 Architectural References • Single vCenter Server • Multiple vCenter Servers (Local) • Multiple vCenter Servers (Remote)  Deployment Best Practices and Recommendations • Deployment / Installation / Upgrading / Availability  Challenges / Lesson Learned with Single Sign-On 5.1  vCenter Single Sign-On 5.5 (NEW) • What's New with vCenter Single Sign-On 5.5 • Deployment Configurations
  37. 37. 37 What's New with vCenter Single Sign-On 5.5 (in short)  Improved architecture • Multi-master • Built-in replication • Site awareness • Multi Tenant  Database • There is no Database!  Installation • One simplified deployment model • Select vCenter Single Sign-On for the first or an additional vCenter Server  Diagnostics • Full suite of diagnostic / Troubleshooting tools vCenter Server vCenter Server vCenter Server vCenter Server vCenter Server vCenter Server Web Client Inventory Svc vCenter Single Sign-On 5.5 Web Client Inventory Svc Web Client Inventory Svc SSO Site 1 SSO Site 2
  38. 38. 38 vCenter Single Sign-On 5.5 - Installation  Prerequisites • Hostname has a FQDN an is DNS resolvable (forward/reverse) • Joined to an Active Directory domain (if integrating with Active Directory) • Windows 2008 x64 SP2 or higher (or use vCenter Appliance)
  39. 39. 39 vCenter Single Sign-On 5.5 - Installation  Simple Installer • single vCenter Server environments  Individual installer • multiple vCenter servers and / or advanced configurations  Installer Steps 1. Accept License agreement (EULA) 2. Prerequisite check summary 3. Edit default port number 7444 (if necessary) 4. Select Deployment placement 5. Provide Administrator@vsphere.local password 6. Provide a site name or select a previous site name 7. Edit destination directory (if necessary) 8. Summary 9. Installation Complete  Upgrading? admin@system-domain? Account becomes an alias of administrator@vsphere.local
  40. 40. 40 Supports Upgrade of all vCenter 5.1 configurations Previous vCenter Single Sign-On 5.1 deployment models • Fully Maintained via Upgrade • Basic • Single Sign-On High Availability • Single Sign-On Multisite New recommendations with vSphere 5.5 • Take advantage of new technology • Single virtual machine for all vCenter components** • Distributed virtual machines add complexity • Availability / Backup & Restore • Management • Easily migrate to new recommendations during upgrade ** Enterprise customers with 6 or more local vCenter servers can use a centralized instance
  41. 41. 41 Types of Identity Sources What is an identity source? An external domain or repository of users and groups Identity Sources supported with 5.5 1. Native Active Directory (Recommended) • Uses kerberos via machine account or SPN (Load Balancer) 2. Active Directory as an LDAP server • This was done for backward compatibility to 5.1 • Not likely to be supported post 5.5 • Same limitations as in 5.1 3. OpenLDAP 4. Local Operating System 5. Single Sign-On Configuring your VC Server When you configure your VC Server, make sure to set the VC Administrator as administrator@vsphere.local. DO NOT SET THE VC Administrator to be a Local OS account.
  42. 42. 42 Diagnostics  vCenter Single Sign-On 5.5 Diagnostic Tools  Perform all administration and reconfiguration from MMC Snap in • vCenter Single Sign-On services need to be running  KB to troubleshoot startup issues  Separate download • So we can update independently and add exciting new features
  43. 43. 43 Replication  Builtin Replication • Between each Single Sign-On server deployed in the same vSphere authentication domain  Replication Partners • Review / Add / Remove / Edit  Geographically Separated Single Sign-On sites • Reduce overhead • Provide Redundancy Links
  44. 44. 44 Backup / Restore / Availability  Backup / Restore • Virtual Machine** • Snapshot • Tape / Disk • vDP (now supports host level restore) • Application (KB with GA) • Registry Keys • SSL Certificates (tcserver) • Certificate server • KDC • VMDir (vdcbackup)  Availability of vCenter Single Sign-On server • No different to vCenter • Why? vCenter is the primary resident of the Single Sign-On server • vSphere HA, vCenter Heartbeat **Additional step required when multiple SSO instances are configured
  45. 45. 45 The log files provided by Single Sign On includes:  vminst.log: Single Sign On installer log  vim-sso-msi.log: MSI installer verbose logs for Single Sign On installation  vim_ssoreg.log: Single Sign On Lookup Service log  exported_sso.properties: Endpoint information about each of the Single Sign On Solution Users and identity sources extracted from previous vCenter Single Sign On 5.1.0 instance  vim-openssl-msi.log: MSI installer verbose log for OpenSSL installation  vim-python-msi.log: MSI installer verbose log for Python installation  vim-kfw-msi.log: MSI installer verbose log for MIT Kerberos installation Single Sign On logs are grouped by component and purpose:  vmdirdvdcpromo.log: Promotion and demotion operation information for the Single Sign On instance when joined or removed from a linked configurations  vmdirdvdcsetupIdu.log: VMware Directory Service setup post-installation log containing information about the localhost name  vmdirdvmdir.log: Health reports for the VMware Directory Service service and the Lotus VMDir database  vmkdcdvmkdcd.log: Key Distribution Center (kdc) run-time log, reports ports conflicts preventing the service from starting  vmware-ssovmware-sts-idmd.log: VMware Identity Management service run-time logs, time- stamped records of user attempts when accessing Single Sign On for administrative purposes  vmware-ssovmware-sts.ldmd-perf.log: VMware Identity Management service performance counter logs  vmware-ssoVMwareIdentityMgmtService.<date>.log: Commons Daemon log once the Identity Management Service has started
  46. 46. 46 Additional Information  Deprecated Functionality • NIS Identity Source • More than one default domain per Identity Provider • SMTP configuration and notification for password expiration by mail  TCP Ports Used by SSO • 2012 Control interface RPC for VMDirectory • 88, 2013 Control interface RPC for the Kerberos • 2014 RPC port for all VMCA APIs • 7444 vCenter Single Sign On - HTTPS • 11711 vCenter Single Sign On - LDAP • 11712 vCenter Single Sign On - LDAPS • 12721 VMware Identity Mgmt Service
  47. 47. 47 Single vCenter Server 5.5 Design Recommendation VC Database vCenter Server Host or VM vCenter Server SSO Server Web Client Inventory Svc Use Simple Installer Installs / Upgrades core components with a single virtual machine 1. vCenter Single Sign-On 2. vSphere Web Client 3. vCenter Inventory Service 4. vCenter Server  No change to architecture  All services are local  Supports 1-1000 Hosts / 1- 10,000 Virtual Machines
  48. 48. 48 Multiple vCenter Server 5.5 (Remote) Design Recommendation By Default  Each site is independent  Does not provide a single pane of glass view  SSO automated replication  SSO Users & Groups  SSO Policies  Identity sources  Site awareness  Linked Mode  Maintains single pane of glass  Replicates Licenses, permissions and roles  Availability  vSphere HA  vCenter Heartbeat vCenter Server vCenter Server New York vCenter Server vCenter Server Miami vCenter Server vCenter Server Web Client Inventory Svc SSO Server – vsphere.local Los Angeles Web Client Inventory Svc Web Client Inventory Svc SSO Site 1 SSO Site 2 SSO Site 3 Single SSO Authentication Domain
  49. 49. 49 SSO Server Web Client Multiple vCenter Server 5.5 (Local) Design Recommendations A Datacenter with 6 or more vCenter Servers  Centralized SSO authentication • Same Physical location  Single Centralized vSphere Web Client  Availability (Required) • vSphere HA • vCenter Heartbeat • Network Load Balancer 49 vCenter Server 2 vCenter Server 5.5 Inventory Svc SSO Server Web Client Database Server VCDB1,VCDB2,VCDB3 vCenter Server 3 vCenter Server 5.5 Inventory Svc vCenter Server 1 vCenter Server 5.1 Inventory Svc Backwards compatible to vCenter Server 5.1
  50. 50. 50 The Possibilities are Endless… 50 New York Los Angeles Miami
  51. 51. 51 Thank You Stay up to date with vCenter Server http://blogs.vmware.com/vsphere/ @vCenterGuy @jasper9
  52. 52. THANK YOU
  53. 53. vSphere vCenter Single Sign-on Best Practices Josh Gray, VMware Justin King, VMware Jonathan McDonald, VMware VSVC5635 #VSVC5635

×