vCenter SSO HA

Hello

Anyone using the SSO in HA vCenter?, I followed the guide of deployment of SSO to vRA but automatic failover does not work, if I stop on the nodes that we start to get error exception creating tenants, adding bussiness,... with both nodes group works very well (balancer load seems ok)

Any experience with vCenter SSO 5.5up2 HA and vRA 6.2.2? is there something missing from the guide or any additional parameter to configure?

Thank you.

The only recommendation I can do, and I'm under NDA, so I can't expand on why I say this, but... I would not invest any time to get this to work and use of identity. Wish I could provide more details than that.

Personally, I have nothing but pain and grief, trying to integrate the two and whenever an update comes out for one or the other, she leads to irritation and gnashing of teeth, trying to figure out what has not been properly tested / validated between the two products, and it leads to all kinds of other problems. I saw too much, lack of a better word, strangeness, trying to get SSO working in a highly available like this configuration... It's weird.

Just my $0.02.

Tags: VMware

Similar Questions

I can not re register vCenter SSO

I have a strange in vCSA (U2d) problem, after restarting the device, the Web Client shows "Empty inventory". When I look more deeply, command:

/ usr/lib/VMware-SSO/bin/vi_regtool listServices https://PVC1.piszki.Lab:7444/lookupservice/sdk

No show recorded vCenter service! And I can't cancel recording vCenter:

PVC1:/etc/VMware-SSO/Register-hooks.d # / usr/lib/vmware-sso/bin/vi_regtool unregisterService d https://PVC1.piszki.Lab:7444/lookupservice/sdk u Pei xxxx-TR id.vc [email protected]
Initialization of provider of record...
SSL certificates for https://PVC1.piszki.Lab:7444/lookupservice/sdk
null
com.vmware.vim.binding.lookup.fault.ServiceFault:
errorMessage = no object
inherited from com.vmware.vim.binding.lookup.fault.ServiceFault
pvc1:/etc/vmware-sso/register-hooks.d #. / 01-vcenter - mode uninstall - ls-Server https://PVC1.piszki.Lab:7444/lookupservice/sdk [email protected] user - password xxx
Initialization of provider of record...
SSL certificates for https://PVC1.piszki.Lab:7444/lookupservice/sdk
null
com.vmware.vim.binding.lookup.fault.ServiceFault:
errorMessage = no object
inherited from com.vmware.vim.binding.lookup.fault.ServiceFault
But if I try to save the vCenter SSO:
pvc1:/etc/vmware-sso/register-hooks.d #. / 01-vcenter - installation - ls-Server mode https://PVC1.piszki.Lab:7444/lookupservice/sdk [email protected] user - password xxx - vc-admin-master option = root - sso-deployment-type option = Embedded
Initialization of provider of record...
SSL certificates for https://PVC1.piszki.Lab:7444/lookupservice/sdk
Execution of anonymous
Successfully registered locations SSO and certificates
The code is back: success
Creation of main SSO for vCenter Server
Initialization of provider of record...
SSL certificates for https://PVC1.piszki.Lab:7444/lookupservice/sdk
vpxd-PVC1.piszki.Lab-792e065c-d461-4BEB-8a9d-0b5696c4722f
com.vmware.vim.sso.admin.exception.DuplicateSolutionCertificateException: vpxd-pvc1.piszki.lab-792e065c-d461-4beb-8a9d-0b5696c4722f
at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.execute(VmomiClientCommand.java:121)
at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.executeEnsuringDomainErrorIs(VmomiClientCommand.java:220)
at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.executeEnsuringDomainErrorIs(VmomiClientCommand.java:207)
at com.vmware.vim.sso.admin.client.vmomi.impl.PrincipalManagementImpl.createLocalSolutionUser(PrincipalManagementImpl.java:197)
at com.vmware.vim.sso.admin.client.vmomi.impl.PrincipalManagementImpl.createLocalSolutionUser(PrincipalManagementImpl.java:185)
at com.vmware.vim.install.cli.commands.RegisterSolutionCommand.execute(RegisterSolutionCommand.java:48)
at com.vmware.vim.install.cli.commands.CompositeCommand.execute(CompositeCommand.java:38)
at com.vmware.vim.install.cli.RegTool.execute(RegTool.java:190)
at com.vmware.vim.install.cli.RegTool.process(RegTool.java:107)
at com.vmware.vim.install.cli.RegTool.main(RegTool.java:38)
Return code is: AlreadyRegistered
C# Client work with no problems. I am stuck, can anyone help?
Kind regards
Piotr

And there is a solution: snapshot + re-run vCSA installation wizard. Only loss, storage tags disappeared and profiles.

Undocumented VCenter, SSO Master Password unknown

Hi all
Been trawl by lu much community to get a handle on this so I thought I would ask this question to get a concise answer.
I wonder to upgrade a VCenter 5.1 U2 to V6. There is no documentation of the VCenter pre-installed and there is no trace of the master password from SSO. I have reset the password of admin@system-domain so I am able to get into the web console. As mentioned in other posts, this password is completely separate from the master password which cannot be changed without knowing what the master password is currently.
What I read the easiest method for me to upgrade seems to be to delete and reinstall SSO then reconnect VCenter for her.
Apparently most difficult method is to build a new VCenter, create local switches, as we use vDS, migrate guests for switches the on the current vcenter, migrate to the VirtualCenter new hosts and then re-create the VDS.
I watched the flings on the labs.vmware.com site and it is one that might help, but it does not work for v5.1 to 6 and the sounds that he has problems with vDS.
An option I have thought and would like to validate is the following: if I build a new with a new SSO installation VCenter which is actually documented, can I join a VCenter V5.1 for installation of SSO V6? If I could spend the vcenter 5.1 to 6, while the old and the new are part of the same domain for authentication, I could Vmotion between VCenters so so technically. Is this a valid option, or I expect the product more than what she can really do? I'm looking for the least disruptive method to get up to date
Thank you
Hayden

Thought that I respond to this and that everyone knows how we have progressed.

After a lot of searching on Google and trial and error, I found a blog by V E XPERTISE written by Fabian Lenz, who helped me to get this working properly. Now I can migrate my systems intact vDS to a new installation of VSphere VCenter 6 the link to the article is http://www.vxpertise.net/2013/06/migration-of-a-distributed-switch-to-a-new-vcenter-important-things-to-know/

Essentially the issue I had was that I was using the logical order of import of the SVD and not in the right order. It is a big help because he'll lead us around the issue of 'master' password SSO all forgotten and allows us to upgrade to a new installation of VCenter essentially because we were eager to make.

I hope this helps someone else out there

vCenter SSO 5.5u2b HA for vCAC re - install service STS unrecognized option:-install

Im trying to configure the SSO 5.5u2b vCenter in a HA configuration for use with 6.1 vCAC. IM following the guide:
http://www.VMware.com/files/PDF/products/vCloud/VMW-vRealize-automation-61-deployment-guide-HA-configurations.PDF
and arrived at the end of the paper where I am re - install the STS. When I try to run the command:
"c:\Program Files VMware vCenter Server - Java
"C:\Program Components\bin\java.exe" - cp
Files\VMware\Infrastructure\VMware\CIS\vmware-sso\ *; c:\Program
Files\VMware\Infrastructure\VMware\CIS\vmware-sso\lib\ *; ; *”
com.vmware.identity.installer.STSInstaller - install - root-cert-path
ssoserverRoot.crt - cert-path-private-key ssoserverSign.crt
ssoserverSign.key - the number of attempts-2-30-retry interval
(put in one line and correcting the parentheses) I get errors:
Unrecognized option:-install
Error: Could not create the Virtual Machine Java.
Error: A fatal error has occurred. Program ends.
I installed the SSO application on the E: drive, so I've updated the script to account for 'e' as follows:
""c:\Program Files VMware vCenter Server - Java Components\bin\java.exe"- cp" e:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\ *; e:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\lib\ *; ; * "com VMware.Identity.installer.STSInstaller - install - path root-cert ssoserverRoot.crt - cert-path ssoserverSign.crt - private-key-path ssoserverSign.key - number of attempts-2-30-retry interval
any suggestions?

I found the issue... There must be a space between...; ; * and. com.vmware... The command of the document is missing in this space. After running the command:

""c:\Program Files VMware vCenter Server - Java Components\bin\java.exe"- cp" e:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\ *; e:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\lib\ *; ; ' ' * com.vmware.identity.installer.STSInstaller - install - path root-cert ssoserverRoot.crt - cert-path ssoserverSign.crt - private-key-path ssoserverSign.key - number of attempts-2 - interval before new attempt-30

the STS re-installed correctly.

VCenter SSO account does not see vcenter inventory

Hi, I recently got an error on my VMware View deployment, which led me to the KB here:
http://KB.VMware.com/selfservice/microsites/search.do?language=en_US & cmd = displayKC & externalId = 2050369
"However, if I connect my web vSphere client with my own credentials (domain administrators), I apparently do not have full administrator rights to the web client, because I don't see anything under ' Sign-On and discovery."
If I have connection with admin@system-domain, to the same URL, I don't see any inventory, it seems Vcenter is not correctly connected or something. However I am connected to the same exact URL https://myvcenterserver:9443 / vsphere client
Any thoughts?
* edit * sorry, forgot to mention it's vCenter version 5.1.0 880146. Thank you.
Post edited by: Mike Crampton

Sorry I'm a bit confused.

When you connect with the domain account, you see no SSO and discovery, but you see the inventory?

But when you connect with admin@system-domain you see the SSO and the discovery, but you do not see the inventory?

It seems perfectly fine to me.

The domain account is the administrator account which can see the inventory.

The SSO administrator (admin@system-domain) is the account that sees the Configuration under SSo and discovery.

Just checked with my environment. This is exactly how it should be.

vCenter SSO new Site

I have a vCenter 5.5 system up and working well.
I tried to install a second SSO server to vCenter as an additional server to a new site. But the installer I kept to give the mythical 1603 error message. If I have installed SSO as a first server vCenter, it installed fine. I tried the file navigation Setup log, but nothing has jumped out to me.
Any suggestions on how to solve this?
GTG

I logged a call with VMWare on it. Quickly, they diagnosed the problem was with SSL certificates.

However, a quick resolution was not forthcoming. So after nearly a week, I abandoned and destroyed the installation whole vCentre and rebuilt from scratch. Only after having done that, it was all working.

GTG

VCenter SSO Active Directory identity Source edition

Hello
I am facing a strange problem when you change the Source of identity SSO for Active Directory integration. When I try to change the URL of the primary and secondary LDAPS server I got the error "unable to connect to one or more of the provided external server URL: servername.domain.com:3269 ' initially, then" unable to connect to one or more of the provided external server URL: GSSAPI. I think it's the same problem. SSO is trying to contact the former domain controller (which no longer exists) and cannot save the changes.
I tried it with a CNAME entry for the old FULL domain name, but it seems to not work. I can still edit with CLI commands, I can only find create and delete actions for the command.
Most of Google's responses to this topic is to remove the Source of identity and create a new. Can my question, I get other problems when you remove the Source of identity, as for example with the permissions on folders, virtual computers, etc. ? If this is not the case, what I need to do something else and then delete and create a new? Reset? Restart the service or something?
Would be great if someone could help me quickly with it.
Thank you!

Hello

I have the test in a test environment. Source of identity must be deleted and a new must be created in order to change the URL of a server that is no longer active. No permissions are deleted when you delete the identity Source.

There is no firewall between the vCenter and the domain controllers. Thanks for the answer.

vCenter SSO 5.5 - users are not editable when upgrading from a 5.1.

I did some tests with vCenter 5.5 on Win2008 R2 (unproductive) installation.
After the upgrade of SSO, I noticed a problem with the internal users of SSO.
-I can't change user properties.
Everything is grey. No change of password, without unlocking. etc. (using [email protected] or another administrator)
Surprisingly, I can create a new user and change everything I need. But all the old user accounts whose [email protected] are not editable.
I did two SSO upgrade configurations instances. Both have the same problem. It does not accur with a new facility.

All the world has noticed the same problem?
How can I solve this problem?

With vCenter 5.5.0a this problem has been resolved.

All users are now editable.

VCenter SSO 5.5 upgrade problems - cannot start SERVICE KDC VMWARE

Hi, I am trying to upgrade my current SSO that was installed about a month ago (a complete reinstallation of my quite vcenter environment.
At some point, the failed to install gives me this error message. "Service"VMware Kdc Service"(WMwareKdcService) failed to start. Check that you have sufficient privileges to start system services. »
I installed as the domain administrator, which obviously has rights of a local administrator on the Windows Server.
Any help or can someone point me to a log file, I can watch or something.
Thank you!
Michel

More tweaking... KDC service requires port 88 to begin.

Netstat - abn shows vpxd.exe uses port 88. When I installed vCenter, I had chosen port 88 as port 80 is already in use by IIS... I disabled now IIS and want to move back to port 80 vCenter.

Now, someone has an idea how I can change vCenter refer to port 80?

Re-use of vCenter SSO certificate

I was banging my head against the deployment of the single sign-on with my installation of vCenter 5.1 certificates.
I think I finally have a handle on how to do it using the SSL automation tool.
So what I wanted to do was blow up all my servers and reinstall all. I wanted to reuse the certificates that I have already created.
I think that if I use the same IP address and host name I should be fine. I'm going basic here?

There will be no problem as long as CN has the FQDN of the server and the domain OR something that is unique for the SSO service. Just install the servers and redeploy certificates that you are used to.

How is the web client vCenter/SSO

In vSphere 5.1, when I type https://myhost.mycompany.com:9443 / vsphere client / in my browser, I immediately get a login screen. When I enter my credentials, all work great. I guess that in this example, the backend of the web client is listening on port 9443.
-Customer web backend expects SSO to always be running on the same host as himself. I mean, it is possible to have a scenario where the backend of the web client is running on a different host than vCenter or SSO.
-If at the time of installation, we have configured the SSO to listen to one port other than the default, do I have to configure the client web backend as well, or is it also get reconfigured.
Thank you.

Yes, you can install SSO separately from other components of vCenter: see http://pubs.vmware.com/vsphere-51/topic/com.vmware.vsphere.install.doc/GUID-595E62F1-4D32-4A09-81F4-BE59B9217A51.html

When you separate facilities you must install first SSO. When you subsequently install the WebClient service you must point to the SSO service by providing the URL of the SSO service. SSO listening on the 7444 default https port. If you have configured it differently (I don't know if this is possible) then you just need to change the port number in the URL of SSO.

The WebClient service is listening on port 9443 default. See http://pubs.vmware.com/vsphere-51/topic/com.vmware.vsphere.install.doc/GUID-74AA3EF1-BDF3-4752-89DB-A522CDE30A66_copy.html

-Andreas

Can not see my server vCenter SSO is even recorded

Hello
yesterday I upgraded vCenter 5.0 to vCenter 5.1.0a. I did everything what (I think!) as it was written in vsphere-esxi-vcenter-server-51-upgrade-guide.pdf. But when I connected to the web client (https://vcenter:9443 / vsphere client) I do not see my server vcenter. So I connected to localhost:9443 to register my vCenter and I see that it is registered. So, what is the problem, why I do not see in the web client?
Best regards
p.

Connection to vCenter using the vSphere Client.

Right click to the next level and add permissions > Add in the Domain Admins or whatever AD group you use vCenter.

Then connect to the Web Client using domain\username and you should see vCenter.

vCenter & installation simple SSO

Hello guys,.
I have an installation simple vCenter + SSO + WebClient on the same machine and I need to change the ip address of the virtual machine, all these components are running in.
I like to keep all the data (roles and rights, licenses).
You know a special procedure to avoid re - install everything from scratch?
vCenter version 5.5 U2
Any help is appreciated.
Thank you, Daniele

If you have systems configured with the host name, just change the DNS record and empty the DNS on the server. If you have everything configured with IPs, then try to re-pointing things according to this KB: VMware KB: re-score and the reinstatement of VMware vCenter Server 5.1 / 5.5 and components

SSO HA

Hi all
I have a vCenter 5.5 implementation of U2. Power wants that I start watching the vCenter, in addition to vSphere HA protection options. It seems that I can use Microsoft Clustering, which I will begin to explore. However, the guide that I'm looking shows SSO must be installed on a different server if grouping vCenter.
What are the options I to protect SSO then?
I guess if I had a single SSO Server and he went down, I'm completely locked out access to vCenter, so kinda useless vCenter protection so I can not adequately protect SSO?
Thank you
D

If primary SSO fails, it should allow you to repoint to secondary SSO Server vCenter as the two SSO replicates data between them. Am not 100% certain that I have not tried, so I suggest you to first look at the scenario in the LAB configuration.

You need to repoint all services between them to get vCenter, SSO work.

See-

VMware KB: Re-score and the reinstatement of VMware vCenter Server 5.1 / 5.5 and components

vCenter 5.1 U3 "embedded" Windows-> updated to 6.0 not embedded u2, appliances?

Trying to find documentation, but you're not exactly what I'm looking for - in the hope that you just happen to know!
I need to get a system for 6.0 vsphere vcenter u2 with the version of the device of vCenter and the PSC - currently 5.1 U1a with vcenter and components running on a single windows server SSO.
I know (or believe) that I've upgraded to 5.1 U3 before I can move to 6.0 - but I'm not, of course, is if a 5.1 windows U3 can in fact be upgraded to a PSC embedded and vcenter?
I need PSC upgraded to join an already existing domain of vsphere SSO (the existing system is autonomous).
So is the path:
updated 1) level up to 5.1 U3, then
(2) upgrade to vcenter/sso embedded device, then
install 3) new embedded device that has been installed in the existing field of vsphere, then
(4) re-point the vcenter to newly created standards body?
Tips/pointers/traps to know are all appreciated!

I guess that is not easy and medium among the supported options to go to old windows vCenter to newer device via the process of upgrading (we usually upgrades).

You should probably do a migration.

I did something similar here a few months ago - had a Windows 5.1 VC and necessary upgrading to 6.0 device. Only in my case, the unit was supposed to have a built-in COPS. Anyway, after reading a lot of articles of migration, I ended up using the instant fling of the inventory: InventorySnapshot who doesn't have everything, however saved me a few hours of manual steps.

Where you decide to go the same route (which probably isn't the only option), the General steps could be:

(1) install a new device 6.0 running PSC

(2) install a new vCenter1 Unit 6.0 running, add it to the domain SSO of PSC, created in step 1)

(3) to migrate the objects of the inventory of the former vCenter again

The instant fling of the inventory is not migrate / copy everything. AFAIR it cannot do things like tags and distributed switches (I could be wrong on some of these so check back) but in my case, I was more concerned with the structures of folders and for those that he save me a few hours. Don't me remember now how I moved customization specifications, however that was a script to export / import kind of thing as well. I also used RVTools to create a snap of the inventory before the migration information so that I could easily find all objects where they would get lost during the migration, however I did not.

According to your complex infrastructure and vCenter in use inventory objects, you might have to do more research and work to make a difference to new vCenter. There are a lot of messages and even prepared scripts out there for the migration of vCenter.

I hope this helps.

vCenter SSO HA

Similar Questions

Maybe you are looking for