Structure of security suitable for Single Sign on Server

We're all used to how design the structure of security for vCenter Server if you had a before 5.1 existing VMware environment.  Who should have administrative privileges in vCenter Server, what roles, permissions and so on should be attributed to the what users and groups - these issues have already been addressed in our current configuration.

Now Single Sign introduced a significant new of the determination of the issues of access and authentication.

I would like to have some ideas on how this should be managed.  For example, directors of previous VMware by definition should become Single Sign we're directors? The Active Directory domain administrators now begin to get involved with the SSO on the server?

For example, the Single Sign on now VMware forces administrators to configure things like:

-For the SSO password complexity policy

-Expired password for SSO

-Locking strategy

We probably already have these things closely controlled in AD and locked with group policy, but you cannot apply the policy of group directly to a SINGLE authentication server and make it to a GPO in Active Directory.  (You can do Windows SSO running operating system on have a GPO applied, but it will not set up authentication SINGLE itself, just the OS).

VMware admins are looking at a new set of issues related to authentication and authorization.  Someone must have written something or will write something to help us get the overview of what changes with SSO if anything and how we look at SSO to a safety design and best practices.

Do I just existing vCenter Server admins admins SSO or do we need to take a step back and reconsider?

Hello

In fact, Yes. SSO is strong enough in 5.5. It has some limitations around to send passwords expired, but this is mainly because some people do not use. I use SSO to provide usernames and passwords for all my VMware vCenter and related products service accounts. That is an account for POS, Horizon, vCops, Log Insight, etc.  It's more about the conservation of the once separate systems more with no real need to AD for services. But AD via SSO is used by users.

Read the documentation and determine how SSO fits in your current password policy and take a long, hard look at your virtualization environment. Y at - it a 1 service-by-service account in dialogue directly with vCenter? If this isn't the case, SSO can help you implement that. The key is to match its functionality to your security policy.

Best regards
Edward L. Haletky
VMware communities user moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books ' VMWare ESX and ESXi in the business: Planning Server Virtualization Deployment, Copyright 2011 Pearson Education. ' Of VMware VSphere and Virtual Infrastructure Security: securing the virtual environment ', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Practice of virtualization, LLC - vSphere Upgrade Saga - virtualization security Table round Podcast

Tags: VMware

Similar Questions

  • Assign roles to users for SINGLE sign-on integrated

    Hi all

    I'm trying to assign roles to users of the SSO, but I can't. I reached this local and LDAP users, but not for users of SINGLE sign-on (I want to use my AD users but without LDAP configuration)

    My platform is vCenter 5.5 U1 for SSO, vCAC camera + server IaaS and vCAD appliance. When you save your vCAD with vCAC you can use integrated vCAC SSO authentication. But, how can I assign roles to users of SSO?

    I can access vCAD with AD users via integrated authentication for SSO, but all options are read-only.

    Best regards

    Jose Luis Gomez

    Hi all

    Auto answer.

    When you have saved your vCAD with vCAC, new roles appears in vCAC. The roles are:

    • Applications architect
    • Request catalogue administrator
    • Director of Cloud applications
    • Deployer and publisher of the application
    • Director of application system

    You can apply this role to users or groups, but always vCAC--> Administration--> groups/users

    Best regards

    Jose Luis Gomez

  • More users for SINGLE sign-on

    We recently had an upgrade to vCenter 4.1 to 5.5.  Before, we used the connection to the Windows credentials.  Now, he's using SSO, but there is only the local administrator account.  We do not want 4 admins to open a session using 1 Administrator account.

    According to the knowledge base, I should be able to add other users by going to ' Administration > access > SSO users and groups of in the web client.  But when I go to the Administration, I do not see 'Access' or ' SSO users and groups "listed (see attached image).

    vsphere1.JPG

    Something does not settle the upgrade? Or am I missing something?

    Thank you

    To connect to the web client using the [email protected] account, you will see entries of Single Sign-On in the Administration (i.e. your screenshot), which allows you to create users and you can also add Sources of identity (for example your domain name).

    André

  • Do not find the link to download required mentioned in the RFSO for SINGLE sign-on integration

    I implement SINGLE sign on our newly installed R12.1.3 instance. For this I am following note "Integrating Oracle E-Business Suite Release 12 with 10gR 3 Oracle Internet Directory and Oracle Single Sign-On (10.1.4.3) [ID 376811.1].
    Previously I have integrated SSO R12 successfully by following this doc...


    But now I'm not find (or confused) on the download link for the component 'Application Oracle 10 g Infrastructure. "

    In the doc what follows is mentioned.

    + "Before starting any further, make sure that you got the following:"

    Since the store Oracle or the Oracle Technology Network:
    •CD pack for Oracle Application Server 10g Release 2 Enterprise Edition «+»


    and in another part->

    + Pre-installation task 2: install OracleAS 10 g (10.1.4.0.1) identity management Infrastructure
    If you already have an existing instance of 10g (10.1.2.0.2) OracleAS, skip this step and go directly to the next step of pre-installation.

    Complete this task to install 'Infrastructure of OracleAS 10 identity management (10.1.4.0.1) g' for the first time.

    This task creates the Oracle Application Server 10 g Enterprise Edition standalone server that will be attached to the Server E-Business Suite. +



    But I'm not finding and confused about software to download and their links to oracle technology. No, the software's component "identity management Infrastructure OracleAS 10 g (10.1.4.0.1)."

    Please help me on this matter. and also to mention the download links and components which will install the "OracleAS 10g (10.1.4.0.1) identity management Infrastructure".

    [Please note that we will not use "Oracle Access Manager" in the new instance as previous installation was OID. that has been integrated successfully with the customer MSAD.]

    Oracle AS10g version 2 is no longer available on OTN - connect you an SR and ask the Support of Oracle to send the Media Pack - http://www.oracle.com/technetwork/middleware/ias/downloads/101202-095224.html

    For Oracle Internet Directory 10.1.4.3, please see this link:

    Oracle Single Sign-On and Oracle Internet Directory 10g 10.1.4.3 certified with EBS 11i and R12
    https://blogs.Oracle.com/stevenChan/entry/oracle_sso_oid_10143_certified_ebs

    Thank you
    Hussein

  • Why need serial for single sign-on info

    Hello everyone,

    as you know, a session is unique with 2 fields, SID and serial that exists on the view v$ session.

    My question is why no serial need and for which case no_serie evolves.

    now, you can say that, "only oracle developers know this, it is the design," but I want to say is, for ex: if I wanted to find a session that is locked by another session, I use this:
    select * from v$session where blocking_session is not null;
    in the blocking_Session field, oracle gives me the session id (SID) that is blocking a session. so I can use this SID and I can kill for example but SID is not unique for a session I can find more than one session with the same SID that it is blocking?

    in real life I saw an example of this, there is not even sid to the system as my example of session blocking. so I believe that this # is the attribution to another series end, I mean, I thougth it might be for the autonomous transaction, maybe they user same sid but DIF serial # but when I tested it, I saw that I was wrong.

    so, why no_serie is exist. If there is a design problem, how can I find a session blocking by simply using SID information?

    Thank you very much.

    The SERIAL no is mainly used to ensure that the session level controls are applied to the correct session objects if the session ends and a new session begins with the same session ID.

  • Need help finding my URL to search for SINGLE sign-on service

    I'm trying to join a different vCenter Server to my existing environment of the vCenter and do not know what is the url to the search service. Where can I find out this information?

    Nevermind I got it. http://www.virtuallyghetto.com/2013/12/How-do-i-find-my-SSO-Server-55-site-name.html

  • SSO - Single Sign On server separate or all in one?

    Hello

    I'm upgrading our infrastructure of 5.0 to 5.1.

    Currently, I have 6hosts and ~ 110 vms total.

    I was wondering what is the best way to go forward with the updates.

    It is best to separate the SSO to vcenter server for future improvements, or it is not really important?

    Thank you

    M

    Take a look on:

    http://vinfrastructure.it/en/2013/02/VMware-vSphere-5-1-upgrade-path/

    IMHO with a 'small' infrastructure you can keep all together

  • Problem with OBIEE/WLS and MS AD Single Sign-On configuration

    Hi all

    My apologies if this should be posted in the general forum of WebLogic security rather than here, but given that the Oracle support doc called "+ Oracle BI 11 g and Weblogic for Single Sign-On configuration... + ' I thought I would try this first forum.

    We lack OBIEE 11.1.1.6.5 on WLS 10.3.5.0 on Windows 2007 server.
    Active Directory (2008) is running on Windows 2008 R2 Standard edition.

    I followed the support document ID 1274953.1 mentioned above and have managed to get the AD authentication works between the OBIEE/WLS server and the MS AD server.
    In other words; We are able to manually restart the BI Analytics with our AD username.

    Now, when you try to configure Single Sign On, I'v reached the point where I'm just checking the configuration of Kerberos (page 19-20).

    This defective with the following result:
    C:\Oracle\..\middleware\user_projects\domains\ourdomain>java.exe -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t keytab [email protected]

    KinitOptions cache name is C:\Users\oracleservice\krb5cc_oracleservice
    Principal is [email protected]

    Kinit using keytab
    
Kinit keytab file name: keytab
    
KeyTabInputStream, readName(): OURDOMAIN.LOCAL
    
KeyTabInputStream, readName(): wlsuser
    
KeyTab: load() entry length: 44; type: 3
    
KeyTabInputStream, readName(): OURDOMAIN.LOCAL
    
KeyTabInputStream, readName(): wlsuser
    
KeyTab: load() entry length: 44; type: 1
    
KeyTabInputStream, readName(): OURDOMAIN.LOCAL
    
KeyTabInputStream, readName(): wlsuser
    
KeyTab: load() entry length: 52; type: 23
    
KeyTabInputStream, readName(): OURDOMAIN.LOCAL
    
KeyTabInputStream, readName(): wlsuser
    
KeyTab: load() entry length: 60; type: 16
    
KeyTabInputStream, readName(): OURDOMAIN.LOCAL
    
KeyTabInputStream, readName(): wlsuser
    
KeyTab: load() entry length: 52; type: 17
    Added key: 17version: 5
Added key: 16version: 5
Added key: 23version: 5
Added key: 1version: 6
Added key: 3version: 5
Ordering keys wrt default_tkt_enctypes list
Config name: C:\Windows\krb5.ini
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17

    Kinit realm name is OURDOMAIN.LOCAL
    
Creating KrbAsReq
    
KrbKdcReq local adresses for WLSSERVER are:
    
     WLSSERVER/10.0.0.2
IPv4 address

     WLSSERVER/0:0:0:0:0:0:0:1
IPv6 address

    KdcAccessibility: reset
    Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17

    KrbAsReq calling createMessage
    
KrbAsReq in createMessage
    
Kinit: sending as_req to realm OURDOMAIN.LOCAL
    Exception: krb_error 0 Cannot get kdc for realm OURDOMAIN.LOCAL No error
KrbException: Cannot get kdc for realm OURDOMAIN.LOCAL
     at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:196)
     at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:175)
     at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:298)
     at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:237)
     at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
    Our krb5.ini looks like this:
    [libdefaults]
default_realm = OURDOMAIN.LOCAL
ticket_lifetime = 600

[realms]
OURDOMAIN.LOCAL = {
kdc = 10.0.0.1
admin_server = adserver.ourdomain.local
default_domain = OURDOMAIN.LOCAL
}

[domain_realm]
.ourdomain.local = OURDOMAIN.LOCAL

[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
    The test above is done with a keytab file generated on the WLS server according to the documents.
    I also tried using "ktpass' on the ad server to generate a keytab file there, and then placing a keytab on the WLS server file.
    It doesn't work with ' Exception: krb_error 0, no key found in keytab support. "

    I am able to run a ping between servers and have checked that there is no firewall running on one of the servers (they have virtual servers in a closed network). If the AD server should be able to receive TCP/UDP traffic on port 88 Kerberos.

    I'm kinda stuck here, and I can't see that we have different document Metalink support in our configuration.
    All good tips and advice on how to solve this problem would be appreciated.

    Kind regards
    -Haakon-

    Hello

    There is an error in the krb5.ini or krb5.conf:

    > kinit HTTP/ukpsrv016.bah.com
    Password HTTP / [email protected]:welcome1
    Exception: krb_error 0 cannot get kdc for Kingdom BAH.COM errors
    KrbException: Failed to get kdc for BAH.COM domain
    at sun.security.krb5.KrbKdcReq.send (unknown Source)
    at sun.security.krb5.KrbKdcReq.send (unknown Source)
    at sun.security.krb5.KrbAsReq.send (unknown Source)
    to sun.security.krb5.internal.tools.Kinit. (Unknown source)
    at sun.security.krb5.internal.tools.Kinit.main (unknown Source)

    -Check the krb5.ini (Windows) or krb5.conf (Linux, Unix) syntax errors.
    -L' example above was due to lack of space on each side of the '='.
    -Search for missing parameters, lack of spaces, uppercase or lowercase differences
    misspellings, missing or unbalanced parentheses.

    Refer to:
    http://docs.Oracle.com/javase/1.5.0/docs/Guide/Security/jgss/tutorials/KerberosReq.html#SetProps

    Also if this force solves the issue, could you let us know how you created the keytabs, and also orders setspn (with the user account as an administrator in AD WLS account). ?

    I hope this helps. Pls mark if he does.

    Thank you
    SVS

  • How to disable Single Sign On

    Hello...

    Whenever I call a report that came out a Single Sign On page n request username n password. After giving the report parameter form is open. Until the end of the session the SSO is not burst when I call other reports.

    But once the session expires or I have an another open application in another browser application for single sign-on...

    Today, when I enter user name n password single sign on it says expired password... When I connect to my database with the same password it works fine...

    How to solve this problem...

    IAM using oracle 10g Server Linux App.

    Please help me as soon as possible...



    with cheers
    Sprity...

    You need to comment on or change the security id in the file reportservername.conf

  • Single Sign-On sequence 5.1 to 5.5 upgrade (multisite mode and bound)

    Hello

    I have trying to find SSO upgrade documentation that describes the options I have to choose for the following upgrade scenario:

    Before the upgrade to 5.5:

    • 2 x 5.1 vCentre servers (Windows 2K8R2) along with related modes.
    • Each vCentre has its own local SSO server that runs on the same server vCentre. Both have the same deployment ID.

    My understanding of what the upgrade for authentication UNIQUE and related modes cannot function after update 5.5 should go as follows (obviously related modes has been removed before the upgrade):

    1. On the first SSO server. Switch from 5.1 to 5.5 using the MULTISITE option. (Web Client follow-up, inventory Service & Server vCentre).
    2. On the 2nd Server SSO. Switch from 5.1 to 5.5 using the MULTISITE option. (Web Client follow-up, inventory Service & Server vCentre).

    The problem is the first SSO server when I select MULTISITE option on the next page, I get the details of the host partner and password I was do one of the following errors:

    1. Could not get the server certificate, or
    2. Unable to get the host name

    And cannot proceed with the upgrade. The only option that works is the AUTONOMOUS vCENTRE SSO SERVER option which I think related modes don't work after upgrade.

    Any help pointing me to a document that stresses the good options if bound mode is preserved after upgrade would be great.

    See you soon

    You use the 2 vCenter 5.5 Update Setup or an older version? Because there are a few changes on the descriptions of the modes of deployments between vCenter 5.5 GA/starting at day 1 and 5.5 Update 2, take a look:

    The deployment modes available for vCenter Single Sign-On are:

    For 5.5GA for vSphere vSphere 5.5 Update 1 b:

    • vCenter Single Sign-On for your first server vCenter Server
    • vCenter Single Sign-On for an additional vCenter Server into an existing site (formerly Cluster HA)
    • vCenter Single Sign-On for an additional vCenter server with a new site (formerly Multisite)

    For vSphere 5.5 Update 2 and beyond:

    • SSO Server vCenter standalone
    • High availability
    • Multisite

    For your first vCenter, you must select "vCenter Standalone single authentication server ' and the second 'Multisite' option, see this note:

    Multisite | vSphere 5.5 Update 2 and beyond

    This option installs a vCenter Single Sign-On additional server in a new site of logic. Single Sign-On Server vCenter are created using this option, they will all be members of the same domain of authentication vSphere.local. As an improvement on vSphere 5.1, provided Single Sign-On (policy, users of the solution/application, sources of identity) are now automatically replicated between each vCenter Server Single Sign-On in the same field of authentication vSphere.local 30 seconds. This mode should be used after the first Single Sign-On Server vCenter is deployed using the vCenter Single Sign-On for your first server vCenter Server or stand-alone vCenter Server SSO option, depending on your version of version 5.5 of vSphere .

    For more information, see this KB article: VMware KB: vCenter Single Sign-On deployment for vSphere 5.5 modes

  • update of the security fixes for Windows server 2012

    I want to update the security patches for the XWindow 2012 server offline. There is a link to the Microsoft web site that allows you to download the ISO file but it will download all the patches for other OS of the window. is there any process that will lower the load only ISO 2012 associated file server window.

    Hello

    Post your question in the TechNet Server Forums, as your question kindly is beyond the scope of these Forums.

    http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

    See you soon.

  • Upgrade to vCenter U1 5.0 to 5.5 and vCenter Single Sign-On

    Hello

    We have two vCenter 5.01 U1 linked by patterns related to our environment. We want to move to vCenter 5.5 now by using the single sign on Type Mulitsite. One vCenter Server's Active Directory domain Europe the other is NALA. These two domain belong to a single root domain. Can we use the sign on unique Type of Mulitsite in this scenario?

    Kind regards

    Savir

    Yes that's why I mentioned the site... so, during installation of 5.5, you will create 2 sites.

    "Each site is represented by a vCenter Single Sign-On cases, with a single Single Sign-On Server vCenter, or a cluster of high availability.

    Concerning

    Girish

  • Cannot install KB979909 and KB979906 for Windows 2000, Windows Server 2003 and Windows XP

    Original title: Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 security update for Windows 2000, Windows Server 2003 and Windows XP x 86 __Microsoft .NET Framework 1.1 SP1 (KB979909) update for Windows 2000 and Windows XP (KB979906) __KB979909)

    I was warned, I got updates, I clicked on install

    he installed an and failed both

    I can't determine how to solve this problem, and the little shield that warns me still here says I need to update

    the explanation refers to the sp?

    IM unaware of what these elements affect

    See the RESPONSE message in this thread: http://social.answers.microsoft.com/Forums/en/vistawu/thread/5dc22ff1-ba9a-4a3a-9f19-49e85908c4c9 ~ Robear Dyer (PA Bear) ~ MS MVP (that is to say, mail, security, Windows & Update Services) since 2002 ~ WARNING: MS MVPs represent or work for Microsoft

  • Free trial version for e-sign services can be used for a single user?

    I would like to know if the free trial period can be used for the unique individual user for the services of e-sign. I see not available for companies and businesses.

    I see the price is $ 9.99 per year for individuals but y at - it a free trial period before a user can register?

    Thank you.

    Hello

    Yes, you can have for single user as well and better business plan level would be to take contact with our sales team about her.

    -Usman

  • Reset the password for the Single Sign-On

    I have forgiven vcenter Single Sign-On Administrator user account, the password. Now, I need to reset it without having to reinstall the Single Sign-On service for the installation of vSphere WebClient service.

    You can help... How can change it

    Run this script on DB RSA SSO to reset the password

    If the SSO (admini@system-domain) password must be reset, please run under the RSA database query:

    UPDATE

    [dbo]. [IMS_PRINCIPAL]

    SET

    [Password] = "{SSHA256} KGOnPYya2qwhF9w4xK157EZZ/RqIxParohltZWU7h2T/VGjNRA =='"

    WHERE

    LOGINUID = "admin".

    AND

    PRINCIPAL_IS_DESCRIPTION = 'Admin ';

    This resets the password 'VMware1234!', after which you open a session and the change of the password as needed.

    Note: Take backup of database RSA prior to execution of this


    As described in this thread vCenter Single Sign-On master password

Maybe you are looking for