SlideShare a Scribd company logo

vCenter Server 5.5 Single Sign-On VMDir deep dive

F
fbuechsel

A deep dive on vCenter Server 5.5 Single Sign-On functionality and troubleshooting

Software
1 of 22
© 2014 VMware Inc. All rights reserved. VMdir Deep Dive Frank Buechsel November 25th 2014
Agenda • SSO Architecture Recap • Multi-Master-Replication • Service Endpoints • Solution users • Backup and Restore • Performance impacts • Q & A 2
SSO Architecture Recap
Services Overview • VMware Identity Management Service: Management and communication to Identity Sources • VMware Secure Token Service: Creation and management of tokens/logins • VMware Kdc Service: Issuing of internal Kerberos tickets • VMware Certificate Service: Internal creation of root and SSO certificates • VMware Directory Service: LDAP Directory 4
LDAP Based Directory – VM Directory • Stores identity sources, SSO users, groups and policies 5
• http://jxplorer.org free tool – LDAP style schema – Do not modify without taking prior backups or without GSS assistance • vSphere Web Client SSO administration pages – Solution Users – SSO users and groups – Identity Source Configuration – Password Policies • ssolscli – Lookupservice front end – Service and Solution User registrations GUI Front Ends to view SSO data 6
Multi-Master-Replication
Replication Agreements • Replication happens inter- and intra-site • 1 default replication agreement set up during install • Replication interval: 30 seconds – Solution users – Service registrations – SSO users – SSO groups • Used ports 11711 & 11712 8
Palo Alto Multi-Master-Replication example First Cork Additional Munich Additional Multi-master Replication Additional Additional 9 USN:1234 USN: 1234 USN: 1234 Password change USN: 1235 USN: 1235 USN: 1235
Troubleshooting Replication Issues • Main Issues seen – Firewall – DNS – Stale partner certificate – No replication agreement • Proposed remediation – Delete partner certificate C:ProgramDataVMwareCIScfgvmdird – If not auto pulled within 2 minutes manually copy the certificate from the partner node – Create a new replication agreement (Open SR and leverage GSS guidance) 10
Service Endpoints
Service Endpoints • Main properties: – Protocol type – Endpoint service URL – Trustanchor (SSL certificate) • Usage: – Used by SSO to determine the API interface of each solution / registered service within SSO 12
Troubleshooting Service Endpoint Issues • Main issues seen – Outdated certificate information during failed rollback – URL change due to host rename – Stale information due to incomplete uninstalls – Expired certificates • Proposed remediation – Removal of solution user and service endpoint – Repointing of the specific solution if still active – Validating and correcting errors for an upgraded VMware vCenter Server using the SSL Certificate Automation Tool http://kb.vmware.com/kb/2048202 – Re-pointing and re-registering VMware vCenter Server 5.1 / 5.5 and components http://kb.vmware.com/kb/2033620 13
Solution Users
Solution Users • Principals used to authenticate registered solutions • vCenter stack solution users – Web Client – Inventory Service – vCenter Server – vCenter Orchestrator • Members of the “Solution Users” group by default but hidden in the GUI • Identifies in SSO by certificate authentication • Usually maps to a Service Endpoint 15
Troubleshooting Solution User Issues • Main Issues seen – During repointing Solution User loses mapping to “Solution Users” group – Duplicate Solution User certificates after upgrades – Expired certificates – Replication not working correctly • Proposed remediation – Re-add to Solution Users group – Removal of solution user and service endpoint – Repointing of the specific solution if still active – Validating and correcting errors for an upgraded VMware vCenter Server using the SSL Certificate Automation Tool http://kb.vmware.com/kb/2048202 – Re-pointing and re-registering VMware vCenter Server 5.1 / 5.5 and components http://kb.vmware.com/kb/2033620 16
Backup and Restore
Backup Procedure Single Instance • Backing up and restoring the VMware vCenter Single Sign-On 5.5 configuration http://kb.vmware.com/kb/2057353 1. Gather SSO log bundle 2. Backup vmdir registry keys HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesVMwareDirectoryService 3. Backup SSL certificate C:ProgramDataVMwareCISruntimeVMwareSTSconf C:ProgramDataVMwareCISdatavmca C:ProgramDataVMwareCIScfgvmkdcd C:ProgramDataMITKerberos5 4. Backup vmdir database C:Program FilesVMwareInfrastructureVMwareCISvmdirdvdcbackup C:ProgramDataVMwarecisdatavmdird C:<target_folder> 18
Restore Procedure Single Instance • Guest OS can be restored 1. Stop all SSO services (STS->IDM->VMCA->KDC->vmdir) 2. Copy data.mdb and lock.mdb from backup to C:ProgramDataVMwarecisdatavmdird • Guest OS can not be restored 1. Install SSO with same hostname and IP on fresh system 2. Stop all SSO services 3. Restore registry backup 4. Restore certificates from step 3 last slide 5. Copy data.mdb and lock.mdb from backup to C:ProgramDataVMwarecisdatavmdird 19
Restore Procedure Multiple Instances • Possible vSphere.local domain inconsistencies after restoring a vCenter Server Single Sign-On 5.5 node http://kb.vmware.com/kb/2086001 1. Restore Guest OS 2. Uninstall and Reinstall SSO using the same host name and IP address 3. Restore SSL certificates using SSL automation tool 4. Replication will restore all solution users, SSO users and groups and service endpoints 20
Performance Impacts
Troubleshooting Performance Issues • Main Issues seen – User member of many groups (200+) – Large directory service structure (millions of objects) – Large number of trusted domains – DNS issues – Firewall issues – Stale Service Endpoints • Proposed Remediation – Limit number of group memberships – Increase AD timeout settings in vCenter Server settings – Fix stale DNS entries – Delete unnecessary Service Endpoints using ssolscli – If feasible adding AD users to “SSO administrators” can improve login performance 22

Recommended

SSL deep dive vCenter Server 5.5
SSL deep dive vCenter Server 5.5SSL deep dive vCenter Server 5.5
SSL deep dive vCenter Server 5.5fbuechsel
 
SSO 5.1 start-up issues
SSO 5.1 start-up issuesSSO 5.1 start-up issues
SSO 5.1 start-up issuesfbuechsel
 
VMworld 2013: vSphere vCenter Single Sign-on Best Practices
VMworld 2013: vSphere vCenter Single Sign-on Best Practices VMworld 2013: vSphere vCenter Single Sign-on Best Practices
VMworld 2013: vSphere vCenter Single Sign-on Best Practices VMworld
 
VMworld 2013: vCenter Deep Dive
VMworld 2013: vCenter Deep Dive VMworld 2013: vCenter Deep Dive
VMworld 2013: vCenter Deep Dive VMworld
 
VMworld 2014: vCenter Server Architecture and Deployment Deep Dive
VMworld 2014: vCenter Server Architecture and Deployment Deep DiveVMworld 2014: vCenter Server Architecture and Deployment Deep Dive
VMworld 2014: vCenter Server Architecture and Deployment Deep DiveVMworld
 
VMworld 2013: vSphere Upgrade Series Part 1: vCenter Server
VMworld 2013: vSphere Upgrade Series Part 1: vCenter ServerVMworld 2013: vSphere Upgrade Series Part 1: vCenter Server
VMworld 2013: vSphere Upgrade Series Part 1: vCenter ServerVMworld
 
2016.11.03 ncwivmug super meeting - v sphere 6 upgrade
2016.11.03 ncwivmug super meeting - v sphere 6 upgrade2016.11.03 ncwivmug super meeting - v sphere 6 upgrade
2016.11.03 ncwivmug super meeting - v sphere 6 upgradePaul Woodward Jr
 
2016.07.20 indy vmug usercon - vsphere 6 upgrade
2016.07.20 indy vmug usercon - vsphere 6 upgrade2016.07.20 indy vmug usercon - vsphere 6 upgrade
2016.07.20 indy vmug usercon - vsphere 6 upgradePaul Woodward Jr
 

Recommended

SSL deep dive vCenter Server 5.5
SSL deep dive vCenter Server 5.5SSL deep dive vCenter Server 5.5
SSL deep dive vCenter Server 5.5fbuechsel
 
SSO 5.1 start-up issues
SSO 5.1 start-up issuesSSO 5.1 start-up issues
SSO 5.1 start-up issuesfbuechsel
 
VMworld 2013: vSphere vCenter Single Sign-on Best Practices
VMworld 2013: vSphere vCenter Single Sign-on Best Practices VMworld 2013: vSphere vCenter Single Sign-on Best Practices
VMworld 2013: vSphere vCenter Single Sign-on Best Practices VMworld
 
VMworld 2013: vCenter Deep Dive
VMworld 2013: vCenter Deep Dive VMworld 2013: vCenter Deep Dive
VMworld 2013: vCenter Deep Dive VMworld
 
VMworld 2014: vCenter Server Architecture and Deployment Deep Dive
VMworld 2014: vCenter Server Architecture and Deployment Deep DiveVMworld 2014: vCenter Server Architecture and Deployment Deep Dive
VMworld 2014: vCenter Server Architecture and Deployment Deep DiveVMworld
 
VMworld 2013: vSphere Upgrade Series Part 1: vCenter Server
VMworld 2013: vSphere Upgrade Series Part 1: vCenter ServerVMworld 2013: vSphere Upgrade Series Part 1: vCenter Server
VMworld 2013: vSphere Upgrade Series Part 1: vCenter ServerVMworld
 
2016.11.03 ncwivmug super meeting - v sphere 6 upgrade
2016.11.03 ncwivmug super meeting - v sphere 6 upgrade2016.11.03 ncwivmug super meeting - v sphere 6 upgrade
2016.11.03 ncwivmug super meeting - v sphere 6 upgradePaul Woodward Jr
 
2016.07.20 indy vmug usercon - vsphere 6 upgrade
2016.07.20 indy vmug usercon - vsphere 6 upgrade2016.07.20 indy vmug usercon - vsphere 6 upgrade
2016.07.20 indy vmug usercon - vsphere 6 upgradePaul Woodward Jr
 
2016.05.23 wivmug user con - vsphere 6 upgrade
2016.05.23 wivmug user con - vsphere 6 upgrade2016.05.23 wivmug user con - vsphere 6 upgrade
2016.05.23 wivmug user con - vsphere 6 upgradePaul Woodward Jr
 
Emad Younis - Keynote
Emad Younis - Keynote Emad Younis - Keynote
Emad Younis - Keynote VMUG IT
 
Nashville VMUG Keynote April 8 2015 - vSphere 6
Nashville VMUG Keynote April 8 2015 - vSphere 6Nashville VMUG Keynote April 8 2015 - vSphere 6
Nashville VMUG Keynote April 8 2015 - vSphere 6Adam Eckerle
 
Nordic VMUG User Conference 2014 - Design VMware vCenter Server
Nordic VMUG User Conference 2014 - Design VMware vCenter ServerNordic VMUG User Conference 2014 - Design VMware vCenter Server
Nordic VMUG User Conference 2014 - Design VMware vCenter ServerAndrea Mauro
 
VMworld 2013: What's New in vSphere Platform & Storage
VMworld 2013: What's New in vSphere Platform & Storage VMworld 2013: What's New in vSphere Platform & Storage
VMworld 2013: What's New in vSphere Platform & Storage VMworld
 
VMworld 2015: Managing vSphere 6 Deployments and Upgrades
VMworld 2015: Managing vSphere 6 Deployments and Upgrades VMworld 2015: Managing vSphere 6 Deployments and Upgrades
VMworld 2015: Managing vSphere 6 Deployments and Upgrades VMworld
 
Whats new v sphere 6
Whats new v sphere 6Whats new v sphere 6
Whats new v sphere 6shixi wang
 
WebLogic Administration course outline
WebLogic Administration course outlineWebLogic Administration course outline
WebLogic Administration course outlineVybhava Technologies
 
vsphere5.5 to 6.5
vsphere5.5 to 6.5vsphere5.5 to 6.5
vsphere5.5 to 6.5Srinivasa Rao Kotamraju
 
London VMUG - Upgrade vSphere 5.5 to 6.5
London VMUG - Upgrade vSphere 5.5 to 6.5London VMUG - Upgrade vSphere 5.5 to 6.5
London VMUG - Upgrade vSphere 5.5 to 6.5Dean Lewis
 
RHT Design for Security
RHT Design for SecurityRHT Design for Security
RHT Design for Securityvirtualsouthwest
 
Introduction to Role Based Administration in WildFly 8
Introduction to Role Based Administration in WildFly 8Introduction to Role Based Administration in WildFly 8
Introduction to Role Based Administration in WildFly 8Dimitris Andreadis
 
RHT Upgrading to vSphere 5
RHT Upgrading to vSphere 5RHT Upgrading to vSphere 5
RHT Upgrading to vSphere 5virtualsouthwest
 
Partner Presentation vSphere6-VSAN-vCloud-vRealize
Partner Presentation vSphere6-VSAN-vCloud-vRealizePartner Presentation vSphere6-VSAN-vCloud-vRealize
Partner Presentation vSphere6-VSAN-vCloud-vRealizeErik Bussink
 
Configuring v sphere 5 profile driven storage
Configuring v sphere 5 profile driven storageConfiguring v sphere 5 profile driven storage
Configuring v sphere 5 profile driven storagevirtualsouthwest
 
VMworld 2015: VMware vSphere Certificate Management for Mere Mortals
VMworld 2015: VMware vSphere Certificate Management for Mere MortalsVMworld 2015: VMware vSphere Certificate Management for Mere Mortals
VMworld 2015: VMware vSphere Certificate Management for Mere MortalsVMworld
 
Ivaylo Radev - usercon vmugit
Ivaylo Radev - usercon vmugit Ivaylo Radev - usercon vmugit
Ivaylo Radev - usercon vmugit VMUG IT
 
VMware vSphere 5.1 - Upgrade Tips & Top New Features
VMware vSphere 5.1 - Upgrade Tips & Top New FeaturesVMware vSphere 5.1 - Upgrade Tips & Top New Features
VMware vSphere 5.1 - Upgrade Tips & Top New Featuresstcroixsolutions
 
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.Dimitris Andreadis
 
JBoss EAP / WildFly, State of the Union
JBoss EAP / WildFly, State of the UnionJBoss EAP / WildFly, State of the Union
JBoss EAP / WildFly, State of the UnionDimitris Andreadis
 
KUMAR_RESUME_1_
KUMAR_RESUME_1_KUMAR_RESUME_1_
KUMAR_RESUME_1_ashok kumar
 
Service management Dec 11
Service management Dec 11Service management Dec 11
Service management Dec 11Richard Conway
 

More Related Content

What's hot

2016.05.23 wivmug user con - vsphere 6 upgrade
2016.05.23 wivmug user con - vsphere 6 upgrade2016.05.23 wivmug user con - vsphere 6 upgrade
2016.05.23 wivmug user con - vsphere 6 upgradePaul Woodward Jr
 
Emad Younis - Keynote
Emad Younis - Keynote Emad Younis - Keynote
Emad Younis - Keynote VMUG IT
 
Nashville VMUG Keynote April 8 2015 - vSphere 6
Nashville VMUG Keynote April 8 2015 - vSphere 6Nashville VMUG Keynote April 8 2015 - vSphere 6
Nashville VMUG Keynote April 8 2015 - vSphere 6Adam Eckerle
 
Nordic VMUG User Conference 2014 - Design VMware vCenter Server
Nordic VMUG User Conference 2014 - Design VMware vCenter ServerNordic VMUG User Conference 2014 - Design VMware vCenter Server
Nordic VMUG User Conference 2014 - Design VMware vCenter ServerAndrea Mauro
 
VMworld 2013: What's New in vSphere Platform & Storage
VMworld 2013: What's New in vSphere Platform & Storage VMworld 2013: What's New in vSphere Platform & Storage
VMworld 2013: What's New in vSphere Platform & Storage VMworld
 
VMworld 2015: Managing vSphere 6 Deployments and Upgrades
VMworld 2015: Managing vSphere 6 Deployments and Upgrades VMworld 2015: Managing vSphere 6 Deployments and Upgrades
VMworld 2015: Managing vSphere 6 Deployments and Upgrades VMworld
 
Whats new v sphere 6
Whats new v sphere 6Whats new v sphere 6
Whats new v sphere 6shixi wang
 
WebLogic Administration course outline
WebLogic Administration course outlineWebLogic Administration course outline
WebLogic Administration course outlineVybhava Technologies
 
London VMUG - Upgrade vSphere 5.5 to 6.5
London VMUG - Upgrade vSphere 5.5 to 6.5London VMUG - Upgrade vSphere 5.5 to 6.5
London VMUG - Upgrade vSphere 5.5 to 6.5Dean Lewis
 
Introduction to Role Based Administration in WildFly 8
Introduction to Role Based Administration in WildFly 8Introduction to Role Based Administration in WildFly 8
Introduction to Role Based Administration in WildFly 8Dimitris Andreadis
 
RHT Upgrading to vSphere 5
RHT Upgrading to vSphere 5RHT Upgrading to vSphere 5
RHT Upgrading to vSphere 5virtualsouthwest
 
Partner Presentation vSphere6-VSAN-vCloud-vRealize
Partner Presentation vSphere6-VSAN-vCloud-vRealizePartner Presentation vSphere6-VSAN-vCloud-vRealize
Partner Presentation vSphere6-VSAN-vCloud-vRealizeErik Bussink
 
Configuring v sphere 5 profile driven storage
Configuring v sphere 5 profile driven storageConfiguring v sphere 5 profile driven storage
Configuring v sphere 5 profile driven storagevirtualsouthwest
 
VMworld 2015: VMware vSphere Certificate Management for Mere Mortals
VMworld 2015: VMware vSphere Certificate Management for Mere MortalsVMworld 2015: VMware vSphere Certificate Management for Mere Mortals
VMworld 2015: VMware vSphere Certificate Management for Mere MortalsVMworld
 
Ivaylo Radev - usercon vmugit
Ivaylo Radev - usercon vmugit Ivaylo Radev - usercon vmugit
Ivaylo Radev - usercon vmugit VMUG IT
 
VMware vSphere 5.1 - Upgrade Tips & Top New Features
VMware vSphere 5.1 - Upgrade Tips & Top New FeaturesVMware vSphere 5.1 - Upgrade Tips & Top New Features
VMware vSphere 5.1 - Upgrade Tips & Top New Featuresstcroixsolutions
 
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.Dimitris Andreadis
 
JBoss EAP / WildFly, State of the Union
JBoss EAP / WildFly, State of the UnionJBoss EAP / WildFly, State of the Union
JBoss EAP / WildFly, State of the UnionDimitris Andreadis
 

What's hot (20)

2016.05.23 wivmug user con - vsphere 6 upgrade
2016.05.23 wivmug user con - vsphere 6 upgrade2016.05.23 wivmug user con - vsphere 6 upgrade
2016.05.23 wivmug user con - vsphere 6 upgrade
 
Emad Younis - Keynote
Emad Younis - Keynote Emad Younis - Keynote
Emad Younis - Keynote
 
Nashville VMUG Keynote April 8 2015 - vSphere 6
Nashville VMUG Keynote April 8 2015 - vSphere 6Nashville VMUG Keynote April 8 2015 - vSphere 6
Nashville VMUG Keynote April 8 2015 - vSphere 6
 
Nordic VMUG User Conference 2014 - Design VMware vCenter Server
Nordic VMUG User Conference 2014 - Design VMware vCenter ServerNordic VMUG User Conference 2014 - Design VMware vCenter Server
Nordic VMUG User Conference 2014 - Design VMware vCenter Server
 
VMworld 2013: What's New in vSphere Platform & Storage
VMworld 2013: What's New in vSphere Platform & Storage VMworld 2013: What's New in vSphere Platform & Storage
VMworld 2013: What's New in vSphere Platform & Storage
 
VMworld 2015: Managing vSphere 6 Deployments and Upgrades
VMworld 2015: Managing vSphere 6 Deployments and Upgrades VMworld 2015: Managing vSphere 6 Deployments and Upgrades
VMworld 2015: Managing vSphere 6 Deployments and Upgrades
 
Whats new v sphere 6
Whats new v sphere 6Whats new v sphere 6
Whats new v sphere 6
 
WebLogic Administration course outline
WebLogic Administration course outlineWebLogic Administration course outline
WebLogic Administration course outline
 
vsphere5.5 to 6.5
vsphere5.5 to 6.5vsphere5.5 to 6.5
vsphere5.5 to 6.5
 
London VMUG - Upgrade vSphere 5.5 to 6.5
London VMUG - Upgrade vSphere 5.5 to 6.5London VMUG - Upgrade vSphere 5.5 to 6.5
London VMUG - Upgrade vSphere 5.5 to 6.5
 
RHT Design for Security
RHT Design for SecurityRHT Design for Security
RHT Design for Security
 
Introduction to Role Based Administration in WildFly 8
Introduction to Role Based Administration in WildFly 8Introduction to Role Based Administration in WildFly 8
Introduction to Role Based Administration in WildFly 8
 
RHT Upgrading to vSphere 5
RHT Upgrading to vSphere 5RHT Upgrading to vSphere 5
RHT Upgrading to vSphere 5
 
Partner Presentation vSphere6-VSAN-vCloud-vRealize
Partner Presentation vSphere6-VSAN-vCloud-vRealizePartner Presentation vSphere6-VSAN-vCloud-vRealize
Partner Presentation vSphere6-VSAN-vCloud-vRealize
 
Configuring v sphere 5 profile driven storage
Configuring v sphere 5 profile driven storageConfiguring v sphere 5 profile driven storage
Configuring v sphere 5 profile driven storage
 
VMworld 2015: VMware vSphere Certificate Management for Mere Mortals
VMworld 2015: VMware vSphere Certificate Management for Mere MortalsVMworld 2015: VMware vSphere Certificate Management for Mere Mortals
VMworld 2015: VMware vSphere Certificate Management for Mere Mortals
 
Ivaylo Radev - usercon vmugit
Ivaylo Radev - usercon vmugit Ivaylo Radev - usercon vmugit
Ivaylo Radev - usercon vmugit
 
VMware vSphere 5.1 - Upgrade Tips & Top New Features
VMware vSphere 5.1 - Upgrade Tips & Top New FeaturesVMware vSphere 5.1 - Upgrade Tips & Top New Features
VMware vSphere 5.1 - Upgrade Tips & Top New Features
 
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
WildFly v9 - State of the Union Session at Voxxed, Istanbul, May/9th 2015.
 
JBoss EAP / WildFly, State of the Union
JBoss EAP / WildFly, State of the UnionJBoss EAP / WildFly, State of the Union
JBoss EAP / WildFly, State of the Union
 

Similar to vCenter Server 5.5 Single Sign-On VMDir deep dive

Service management Dec 11
Service management Dec 11Service management Dec 11
Service management Dec 11Richard Conway
 
Service Management Dec 11
Service Management Dec 11Service Management Dec 11
Service Management Dec 11clarendonint
 
VMworld 2013: Virtualize Active Directory ‒ The Right Way!
VMworld 2013: Virtualize Active Directory ‒ The Right Way!VMworld 2013: Virtualize Active Directory ‒ The Right Way!
VMworld 2013: Virtualize Active Directory ‒ The Right Way!VMworld
 
V mware view™ poc jumpstart service
V mware view™ poc jumpstart serviceV mware view™ poc jumpstart service
V mware view™ poc jumpstart servicesolarisyougood
 
V cloud director 5.1 what's new overview technical presentation
V cloud director 5.1 what's new overview technical presentationV cloud director 5.1 what's new overview technical presentation
V cloud director 5.1 what's new overview technical presentationsolarisyourep
 
SharePoint on demand with System Center - Matija Blagus
SharePoint on demand with System Center - Matija BlagusSharePoint on demand with System Center - Matija Blagus
SharePoint on demand with System Center - Matija BlagusSPC Adriatics
 
VMworld 2015: Extreme Performance Series - vCenter Performance Best Practices
VMworld 2015: Extreme Performance Series - vCenter Performance Best PracticesVMworld 2015: Extreme Performance Series - vCenter Performance Best Practices
VMworld 2015: Extreme Performance Series - vCenter Performance Best PracticesVMworld
 
VMware VCP7-DTM: More than just Horizon View
VMware VCP7-DTM: More than just Horizon ViewVMware VCP7-DTM: More than just Horizon View
VMware VCP7-DTM: More than just Horizon ViewMatt Crape
 
four issues I encountered deploying vCenter and SRM 5.5 in a Windows environment
four issues I encountered deploying vCenter and SRM 5.5 in a Windows environmentfour issues I encountered deploying vCenter and SRM 5.5 in a Windows environment
four issues I encountered deploying vCenter and SRM 5.5 in a Windows environmentAngelo Luciani
 
be the captain of your connections deployment
be the captain of your connections deploymentbe the captain of your connections deployment
be the captain of your connections deploymentSharon James
 
Configuring and Troubleshooting XenDesktop Sites
Configuring and Troubleshooting XenDesktop SitesConfiguring and Troubleshooting XenDesktop Sites
Configuring and Troubleshooting XenDesktop SitesDavid McGeough
 
Virtualization monitoring made easy with Applications manager
Virtualization monitoring made easy with Applications managerVirtualization monitoring made easy with Applications manager
Virtualization monitoring made easy with Applications managerManageEngine, Zoho Corporation
 
VMworld 2015: Just Because You COULD, Doesn’t Mean You SHOULD – vSphere 6.0 A...
VMworld 2015: Just Because You COULD, Doesn’t Mean You SHOULD – vSphere 6.0 A...VMworld 2015: Just Because You COULD, Doesn’t Mean You SHOULD – vSphere 6.0 A...
VMworld 2015: Just Because You COULD, Doesn’t Mean You SHOULD – vSphere 6.0 A...VMworld
 
vRealize Operation 7.5 What's new
vRealize Operation 7.5 What's newvRealize Operation 7.5 What's new
vRealize Operation 7.5 What's newKiss Tibor
 
“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with EverythingDave Hay
 
Presentation v mware v-cloud director overview
Presentation v mware v-cloud director overviewPresentation v mware v-cloud director overview
Presentation v mware v-cloud director overviewsolarisyourep
 
System Center 2012 for VMware Infrastructure
System Center 2012 for VMware InfrastructureSystem Center 2012 for VMware Infrastructure
System Center 2012 for VMware InfrastructureBryan Dady
 

Similar to vCenter Server 5.5 Single Sign-On VMDir deep dive (20)

KUMAR_RESUME_1_
KUMAR_RESUME_1_KUMAR_RESUME_1_
KUMAR_RESUME_1_
 
Service management Dec 11
Service management Dec 11Service management Dec 11
Service management Dec 11
 
Service Management Dec 11
Service Management Dec 11Service Management Dec 11
Service Management Dec 11
 
VMworld 2013: Virtualize Active Directory ‒ The Right Way!
VMworld 2013: Virtualize Active Directory ‒ The Right Way!VMworld 2013: Virtualize Active Directory ‒ The Right Way!
VMworld 2013: Virtualize Active Directory ‒ The Right Way!
 
V mware view™ poc jumpstart service
V mware view™ poc jumpstart serviceV mware view™ poc jumpstart service
V mware view™ poc jumpstart service
 
V cloud director 5.1 what's new overview technical presentation
V cloud director 5.1 what's new overview technical presentationV cloud director 5.1 what's new overview technical presentation
V cloud director 5.1 what's new overview technical presentation
 
Introduction to vSphere logs
Introduction to vSphere logsIntroduction to vSphere logs
Introduction to vSphere logs
 
SharePoint on demand with System Center - Matija Blagus
SharePoint on demand with System Center - Matija BlagusSharePoint on demand with System Center - Matija Blagus
SharePoint on demand with System Center - Matija Blagus
 
VMworld 2015: Extreme Performance Series - vCenter Performance Best Practices
VMworld 2015: Extreme Performance Series - vCenter Performance Best PracticesVMworld 2015: Extreme Performance Series - vCenter Performance Best Practices
VMworld 2015: Extreme Performance Series - vCenter Performance Best Practices
 
VMware VCP7-DTM: More than just Horizon View
VMware VCP7-DTM: More than just Horizon ViewVMware VCP7-DTM: More than just Horizon View
VMware VCP7-DTM: More than just Horizon View
 
four issues I encountered deploying vCenter and SRM 5.5 in a Windows environment
four issues I encountered deploying vCenter and SRM 5.5 in a Windows environmentfour issues I encountered deploying vCenter and SRM 5.5 in a Windows environment
four issues I encountered deploying vCenter and SRM 5.5 in a Windows environment
 
Anujit CV
Anujit CV Anujit CV
Anujit CV
 
be the captain of your connections deployment
be the captain of your connections deploymentbe the captain of your connections deployment
be the captain of your connections deployment
 
Configuring and Troubleshooting XenDesktop Sites
Configuring and Troubleshooting XenDesktop SitesConfiguring and Troubleshooting XenDesktop Sites
Configuring and Troubleshooting XenDesktop Sites
 
Virtualization monitoring made easy with Applications manager
Virtualization monitoring made easy with Applications managerVirtualization monitoring made easy with Applications manager
Virtualization monitoring made easy with Applications manager
 
VMworld 2015: Just Because You COULD, Doesn’t Mean You SHOULD – vSphere 6.0 A...
VMworld 2015: Just Because You COULD, Doesn’t Mean You SHOULD – vSphere 6.0 A...VMworld 2015: Just Because You COULD, Doesn’t Mean You SHOULD – vSphere 6.0 A...
VMworld 2015: Just Because You COULD, Doesn’t Mean You SHOULD – vSphere 6.0 A...
 
vRealize Operation 7.5 What's new
vRealize Operation 7.5 What's newvRealize Operation 7.5 What's new
vRealize Operation 7.5 What's new
 
“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything
 
Presentation v mware v-cloud director overview
Presentation v mware v-cloud director overviewPresentation v mware v-cloud director overview
Presentation v mware v-cloud director overview
 
System Center 2012 for VMware Infrastructure
System Center 2012 for VMware InfrastructureSystem Center 2012 for VMware Infrastructure
System Center 2012 for VMware Infrastructure
 

Recently uploaded

The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 

Recently uploaded (20)

The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 

vCenter Server 5.5 Single Sign-On VMDir deep dive

  • 1. © 2014 VMware Inc. All rights reserved. VMdir Deep Dive Frank Buechsel November 25th 2014
  • 2. Agenda • SSO Architecture Recap • Multi-Master-Replication • Service Endpoints • Solution users • Backup and Restore • Performance impacts • Q & A 2
  • 4. Services Overview • VMware Identity Management Service: Management and communication to Identity Sources • VMware Secure Token Service: Creation and management of tokens/logins • VMware Kdc Service: Issuing of internal Kerberos tickets • VMware Certificate Service: Internal creation of root and SSO certificates • VMware Directory Service: LDAP Directory 4
  • 5. LDAP Based Directory – VM Directory • Stores identity sources, SSO users, groups and policies 5
  • 6. • http://jxplorer.org free tool – LDAP style schema – Do not modify without taking prior backups or without GSS assistance • vSphere Web Client SSO administration pages – Solution Users – SSO users and groups – Identity Source Configuration – Password Policies • ssolscli – Lookupservice front end – Service and Solution User registrations GUI Front Ends to view SSO data 6
  • 8. Replication Agreements • Replication happens inter- and intra-site • 1 default replication agreement set up during install • Replication interval: 30 seconds – Solution users – Service registrations – SSO users – SSO groups • Used ports 11711 & 11712 8
  • 9. Palo Alto Multi-Master-Replication example First Cork Additional Munich Additional Multi-master Replication Additional Additional 9 USN:1234 USN: 1234 USN: 1234 Password change USN: 1235 USN: 1235 USN: 1235
  • 10. Troubleshooting Replication Issues • Main Issues seen – Firewall – DNS – Stale partner certificate – No replication agreement • Proposed remediation – Delete partner certificate C:ProgramDataVMwareCIScfgvmdird – If not auto pulled within 2 minutes manually copy the certificate from the partner node – Create a new replication agreement (Open SR and leverage GSS guidance) 10
  • 12. Service Endpoints • Main properties: – Protocol type – Endpoint service URL – Trustanchor (SSL certificate) • Usage: – Used by SSO to determine the API interface of each solution / registered service within SSO 12
  • 13. Troubleshooting Service Endpoint Issues • Main issues seen – Outdated certificate information during failed rollback – URL change due to host rename – Stale information due to incomplete uninstalls – Expired certificates • Proposed remediation – Removal of solution user and service endpoint – Repointing of the specific solution if still active – Validating and correcting errors for an upgraded VMware vCenter Server using the SSL Certificate Automation Tool http://kb.vmware.com/kb/2048202 – Re-pointing and re-registering VMware vCenter Server 5.1 / 5.5 and components http://kb.vmware.com/kb/2033620 13
  • 15. Solution Users • Principals used to authenticate registered solutions • vCenter stack solution users – Web Client – Inventory Service – vCenter Server – vCenter Orchestrator • Members of the “Solution Users” group by default but hidden in the GUI • Identifies in SSO by certificate authentication • Usually maps to a Service Endpoint 15
  • 16. Troubleshooting Solution User Issues • Main Issues seen – During repointing Solution User loses mapping to “Solution Users” group – Duplicate Solution User certificates after upgrades – Expired certificates – Replication not working correctly • Proposed remediation – Re-add to Solution Users group – Removal of solution user and service endpoint – Repointing of the specific solution if still active – Validating and correcting errors for an upgraded VMware vCenter Server using the SSL Certificate Automation Tool http://kb.vmware.com/kb/2048202 – Re-pointing and re-registering VMware vCenter Server 5.1 / 5.5 and components http://kb.vmware.com/kb/2033620 16
  • 18. Backup Procedure Single Instance • Backing up and restoring the VMware vCenter Single Sign-On 5.5 configuration http://kb.vmware.com/kb/2057353 1. Gather SSO log bundle 2. Backup vmdir registry keys HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesVMwareDirectoryService 3. Backup SSL certificate C:ProgramDataVMwareCISruntimeVMwareSTSconf C:ProgramDataVMwareCISdatavmca C:ProgramDataVMwareCIScfgvmkdcd C:ProgramDataMITKerberos5 4. Backup vmdir database C:Program FilesVMwareInfrastructureVMwareCISvmdirdvdcbackup C:ProgramDataVMwarecisdatavmdird C:<target_folder> 18
  • 19. Restore Procedure Single Instance • Guest OS can be restored 1. Stop all SSO services (STS->IDM->VMCA->KDC->vmdir) 2. Copy data.mdb and lock.mdb from backup to C:ProgramDataVMwarecisdatavmdird • Guest OS can not be restored 1. Install SSO with same hostname and IP on fresh system 2. Stop all SSO services 3. Restore registry backup 4. Restore certificates from step 3 last slide 5. Copy data.mdb and lock.mdb from backup to C:ProgramDataVMwarecisdatavmdird 19
  • 20. Restore Procedure Multiple Instances • Possible vSphere.local domain inconsistencies after restoring a vCenter Server Single Sign-On 5.5 node http://kb.vmware.com/kb/2086001 1. Restore Guest OS 2. Uninstall and Reinstall SSO using the same host name and IP address 3. Restore SSL certificates using SSL automation tool 4. Replication will restore all solution users, SSO users and groups and service endpoints 20
  • 22. Troubleshooting Performance Issues • Main Issues seen – User member of many groups (200+) – Large directory service structure (millions of objects) – Large number of trusted domains – DNS issues – Firewall issues – Stale Service Endpoints • Proposed Remediation – Limit number of group memberships – Increase AD timeout settings in vCenter Server settings – Fix stale DNS entries – Delete unnecessary Service Endpoints using ssolscli – If feasible adding AD users to “SSO administrators” can improve login performance 22