Home > Blogs > VMware Support Insider > Tag Archives: SSO

Tag Archives: SSO

SSL Certificate Automation Tool version 1.0.1

Posted on by
Reply

Last month we announced a new SSL Certificate Automation tool to help everyone with the implementation of custom certificates. Yesterday, we released the second version of it (version 1.0.1). This is a minor update which aims to simplify the replacement of certificates further by adding Certificate Signing Request (CSR) functionality to the tool. This functionality allows a user to quickly generate certificate requests (and consequently the private keys) for submission to the Certificate Authority.  The CSR functionality was the largest portion of manual steps, and as a result the update reduces the number of steps by over 15.

In addition, there are several minor bug fixes which were fixed which impacted tool functionality.

For further details and to download the latest version of the SSL tool see: Deploying and Using the SSL Certificate Automation Tool (2041600)

We hope these additions provide useful for everyone!

Logging in to the vSphere Web Client failing

Posted on by
1

Some customers are still running into issues when logging into the vSphere Client and we want to re-publicize the fix for this. If you see either of the following two messages:

unknown user or bad password

or:

The authentication server returned an unexpected error: ns0:RequestFailed: 
Internal Error while creating SAML 2.0 Token. 
The error may be caused by a malfunctioning identity source.

This is caused by a configuration issue related to the groups on the local Operating System having Active Directory users in them.  There is an easy fix to the issue, removing the localOS identity source from vCenter Server Single-Sign-On(SSO). All of the steps are detailed in KB article: Logging in to the vSphere Web Client fails with the error: ns0:RequestFailed: Internal Error while creating SAML 2.0 Token (2043070) but you can think of this as an addendum.

Before you go ahead and remove the local identity source, one should be aware that any local users will no longer have login access once the local identity source is removed.  Also, a domain account should be configured with SSO administrative privileges before removing the identity source.

To remove the identity source, log in to the Web Client using the SSO administrator,(admin@system-domain, go to Administration, then Configuration under Sign-On and Discovery and then remove the Local Identity Source (local machine name) as shown.

A couple of common questions:

Q – What if I can’t log in with SSO Administrator credentials?
A – See Unlocking and resetting the vCenter Single Sign On (SSO) administrator password (2034608)

Q – How do I add an SSO administrator?
A – Log in to the vSphere Web Client as an SSO administrator. By default, this user is admin@system-domain.

In the home page, click Administration > Access > SSO Users and Groups.

Click on the plus sign and add account from identity source.

Introducing the vCenter Certificate Automation Tool 1.0

Posted on by
6

Fresh out of development today VMware has a new tool to help everyone with the implementation of custom certificates. The vCenter Certificate Automation Tool 1.0, will help customers update certificates needed for running vCenter Server and supporting components. This is primarily of interest to customers who use custom certificates either generated internally from Corporate CAs, or from public CA’s like VeriSign.

To add a little background information various components within vSphere and the vCenter platform use certificates for identifying themselves as well as for secure communication with external software entities (browsers, API clients).  These can broadly be classified into the following categories:

  1. Secure token Service Certificate – Certificate used by vCenter Single Sign On (SSO) for encryption tokens
  2. Solution User Certificates – Certificates used by each solution to identify themselves as users to SSO
  3. SSL Certificates  – certificates needed for SSL communication for the UI and API layer
  4. Host Certificates – These certificates are deployed in each ESXi host and used for secure vCenter to ESXi communication.

Note: The new certificate tool automates the updating of certificates in the management layer only (a, b, c above). This tool does NOT handle replacement of certificates in ESXi hosts.

The vCenter Certificate Automation Tool aims to automate the process of uploading certificates and restarting the following components within the vCenter Platform:

  1. vCenter Server
  2. vCenter Single Sign On
  3. vCenter Inventory Service
  4. vSphere Web Client
  5. vCenter Log Browser
  6. VMware Update Manager (VUM)
  7. vCenter Orchestrator (VCO)

For more information on how to download, install, and use the tool, refer to KB article: Deploying and Using the SSL Certificate Automation Tool (2041600).

How to deploy SSO in a multisite configuration

Posted on by
6

For those of you administering multiple vSphere environments, getting a SSO multisite deployment up and running in a correct configuration is very important. Multisite deployments are where a local replica is maintained at remote sites of the primary vCenter Single Sign-On instance. The process of setting this up is not complicated, but it is possible to take a wrong turn and end up wasting a whole lot of time correcting it. That is why we have created a best-practice Knowledgebase article titled: Multisite Single Sign-On deployment best practices. (2042849). We highly recommend you look at the examples in that article.

We’ve written extensively in this blog about SSO in the past. You can see all the other posts on the topic here: http://blogs.vmware.com/kb/tag/sso

If you are still at the point where you are asking yourself- what is SSO? and why do I care? we recommend you start with this great introduction from Justin King: vCenter Single Sign-On Part 1: what is vCenter Single Sign-On?

Where is the Best Practice Guide for SSO?

Posted on by
5

We recently received a tweet request from a customer directed at our @vmwarekb account asking:

@VMwareKB Also when can I expect a best practice guide from VMware on SSO?

The answer is, while we don’t have one single document with our best practices for Single Sign On (SSO), we do have 65 and counting KB articles on the subject. That amount of content would not fit nicely if it were crammed into one article! Thinking that more of you may be asking the same question, I present for you a listing of all of our current SSO articles. In the meantime, we’ll keep working hard on providing the content you want.

Configuring a vCenter Single Sign On Identity Source using LDAP with SSL

Posted on by
Reply

So, the Fusion related videos that were mentioned in our earlier post have been delayed. Thus we must apologize to all of our fans who were waiting for these videos to appear. We will try to upload these videos as early as possible in the new year.

In the meantime, we do have a new video today for all of our fans interested in vSphere 5.1 related content.

In this video tutorial we provide a quick demonstration showing the steps to configure an Identity Source in vCenter Single Sign On to use a secured LDAP over SSL (LDAPS) connection as per the written instructions contained within VMware Knowledge Base article Configuring a vCenter Single Sign On Identity Source using LDAP with SSL (2041378).

This is appropriate in secure environments to encrypt all LDAP traffic on between vCenter Server and the authorizing Identity Source.

Note: This video tutorial is a general how-to guide. Consult with the Directory Administrators in your organization for specific procedures. The steps in this video assume that the Domain Controller in question has a valid certificate available for Exporting for Server Authentication. If it is not available in the Personal > Certificates tab, you need to start by making that certificate available.

Note: For best viewing results, ensure that the 720p setting is selected and view in full screen mode.

Implementing CA signed SSL certificates with vSphere 5.1

Posted on by
4

SSLOne of the most common things we see in VMware Global Support Services (GSS), regardless of product, version, or customer, is the need to implement custom certificates. This could be for a number of reasons:

  • Security
  • To get rid of the warning when you first login
  • You like a challenge

Whatever the case may be, in vSphere 5.1, the process has changed due to the addition of vCenter Single Sign On (SSO), which adds complexity to the procedure. This is because the majority of services register themselves to SSO. As a result of changing the certificates, the services also need to be re-registered.

As a result of repeated question from customers coming in on this, we gathered our Professional Services, Engineering, and Technical Writers to develop the following Resolution Path to guide you through the various steps through to completion (you can read more about resolution path articles here).

Resolution Path Article:

Child articles in the resolution path are:

Note: It is recommended that you follow the articles in the sequence provided as many steps are dependent on each other.

 

We have also created an article with the steps for vCenter Server Appliance 5.1:

Finally, we have updated these vSphere 5.0 articles thanks to feedback received on them:

Note: The vCenter Service fails to start up issue is now resolved in vCenter Server 5.1.0a. For more details, refer to KB article:
vCenter Server Services hang on startup after upgrading to vCenter Server 5.1 (2035623).

We hope that this helps everyone through their SSL implementation. If you find any errors or anomalies, there’s a feedback form at the bottom of every article. We will be keeping an active eye on your feedback!

vSphere SSO Resources

Posted on by
3

Ever since vSphere 5.1 launched we’ve been getting a fair number of support calls about Single Sign On, or SSO for short. It is a requirement now, and many of you are getting caught on some aspect of the upgrade/implementation.

We don’t like our customers having to call into support. Not that we don’t love to hear from you, but we’d rather document how to deal with different issues and push the information out to you before you run into them. Then, you don’t have to waste time calling us!

Let’s start with two particularly important KB articles. These are classified as ‘Resolution Paths’. They walk you through an ordered set of steps in resolving a problem. You can read more about resolution path articles here.

 

If those two don’t address your problem, here are a few more resources to help you along your way on the upgrade path. Enjoy!

Installation and Deployment
Single Sign On installation details matrix (2036922)
How vCenter SSO Deployment Scenarios Affect Log In Behavior
Setting up Apache load balancing software with vCenter Single Sign On (2034157)
Troubleshooting VMware Single Sign-On configuration and installation issues in a Windows server (2033880)
Configuring SSO for HA (2033588)
Manually Replicate Data in a Multisite vCenter Single Sign On Deployment
Installing vCenter Single Sign On in a multisite deployment (2034074)
Deploying SSO at each site in multi site mode
SSO server Deployment Modes
Configuration
Replacing Default SSL Certificates for vCenter components (pdf)
When you log into the vSphere Client, linked vCenter Server systems do not appear (2033213)
vCenter Single Sign On and dependent services fail to start after you reboot the system (2032749)
After updating SSL certificate for SSO, a newly installed instance of VC fails to start (2033215)
Unable to connect to vCenter Inventory Service (2032356)
Repointing and reregistering vCenter Server and components (2033620)
Configuring SSO for HA (2033588)
Troubleshooting SSO on Windows (2033208)

  • autodiscovery fails
  • Single Sign On Installation fails completely
  • error occurs that references the vCenter Inventory or Web Client
vCenter Single Sign On fails to start at startup or initialization (2033164)
Troubleshooting Single Sign On with the vCenter Server Appliance configuration on an external database (2033624)
Troubleshooting vCenter Server Appliance configuration with an external vCenter Single Sign On server (2033737)
Troubleshooting Single Sign On and Active Directory domain authentication with the vCenter Server Appliance (2033742)
Change the vCenter Single Sign On Mode in VCVA
Update vCenter Single Sign On settings after you change the hostname or port of the database server (2033516)
Admin and Login
Troubleshooting SSL certificates updates and SSO (2033240)
Troubleshooting vSphere Web Client login errors (2033253)

  • provided credentials are invalid
  • user account is locked
  • Single Sign On server fails to respond
  • vCenter Server administrator permissions are not valid by default on Single Sign On
Troubleshooting SSO on VCVA (2033338)
Updating SSL certificates for vCenter Single Sign On servers behind a load balancer (2034181)
Unable to log in to vCenter Server with the vSphere Client (2034798)

Here are a few more links for good luck: