I was involved with a document for the release of vCenter Server 5.1.0A which when released I could not find. It wasn’t until I raised this internally that I found where the document was actually listed. This document is a readme for the vCenter 5.1.0A release and contains information that will help with vCenter Single Sign-On design and installation. I thought I would share it here as more than likely you missed it as well.
For reference the file is located in the notes section of the vCenter 5.1.0A download page and I have linked it here
vCenter Server 5.1.0a README
VMware vCenter Server 5.1.0a has been released in response to bugs and usability issues encountered by VMware customers. A number of these bugs concern installation and upgrade. This release also addresses several other bugs that did not have any workarounds. The goal of vCenter Server 5.1.0a is to provide you with a smoother upgrade path so that you can take advantage of the new features in vCenter Server 5.1 right away.
vCenter Server 5.1.0a is not a patch release. You can upgrade to this version of vCenter Server from the following previous versions:
• vCenter Server 4.1, 4.1 Ux
• vCenter Server 5.0, 5.0 Ux
• vCenter Server 5.1 GA
vCenter Server 5.1.0a supports the same database and OS configurations as the original release of vCenter Server 5.1.
The vCenter Server 5.1 release includes significant architectural changes. You must understand these changes before attempting to freshly install or upgrade to vCenter Server 5.1 from older versions of the product. There are four separate services that constitute the vCenter Server 5.1 platform. These are:
• vCenter Single Sign On (SSO)
• vCenter Inventory Service
• vCenter Server
• vSphere Web Client
Before you upgrade to vCenter Server 5.1 determine whether your environment is right for vCenter Server 5.1 by observing the following prerequisites.
- Check your Active Directory (AD) domain settings
• vCenter SSO uses standard LDAP protocols to interact with AD. The machine where SSO is being deployed must have default read-only LDAP privileges (domain member default).
• Read the following Knowledge Base articles (KBs) for detailed prerequisites related to AD.
• Upgrading to vCenter Server 5.1 best practices (KB2021193)
• Installing vCenter Server 5.1 best practices (KB2021202)
• Required ports for vCenter Server 5.1 (KB2031843)
- Check that vCenter Server and Inventory Service Certificates are valid
• Having expired certificates in your environment is a security risk. vCenter SSO checks for certificate validity. You can find details on how to check for expired certificates and renew them in KB2035413.
• For Microsoft Windows deployments, ensure that your certificates meet minimum certificate key-length requirements. Refer to VMware KB2037082 and Microsoft Security Advisory KB2661254.
- Database Configuration
• Know your database user and password quality policies.
• Ensure that SQL Authentication is set to Mixed Mode.
• TCP/IP must be enabled for MS SQL Server.
- Decide on the choice of Basic, HA, or Multi-site installation for SSO
You can find details that will help you decide which type of installation is applicable for your environment by reading the following:
• Installing vCenter Single Sign On in a multisite deployment (KB2034074)
• Configuring vCenter Single Sign On for High Availability (KB2033588)
• For the basic SSO installation, see the vSphere Installation and Setup Guide
- Knowledge of where your VC administrators live
• Going forward, SSO will be the single point for all user authentications.
• With vCenter Server no longer managing users it is imperative that you understand the source of your users, especially administrators.
• Depending on how you deploy SSO server (on a different machine from vCenter Server), your local OS users might not be migrated to the new environment. If this occurs, you must create new administrative users, preferably local SSO users. If your administrators are AD users, these users will be migrated to SSO provided SSO can find the AD domains.
Use a step-by-step approach to installation or upgrade. This approach ensures a smoother upgrade and the ability to revert to a stable state should any problems arise. VMware offers two modes of installation and upgrade for the vCenter Server platform: simple installation and the custom installation.
1. Back up your vCenter Server Database. If you are running vCenter Server in a virtual machine, take a snapshot of the vCenter Server virtual machine.
2. Use the individual installer for each service wherever possible, as opposed to the simple installer. Install SSO first and then upgrade or install the vSphere Web Client.
3. Log into the vSphere Web Client as the SSO administrator (admin@system-domain, ).
4. Verify that you can see all the AD domains for your administrators. If you cannot see some of the AD domains, use the Configuration tab to add them as described in KB2035934.
5. Assign one of the AD users as an SSO administrator. Log out and log back in using the new SSO administrator user. If you are able to connect successfully, SSO is configured correctly.
6. Upgrade vCenter Server, keeping the following in mind:
• Upgrade the Inventory Service before upgrading vCenter Server.
• As a best practice, avoid using local OS users.
• Your configured AD domains must be reachable during vCenter Server upgrades. Refer to KB2035758 for more information.
7. Handle Administrators as follows during vCenter Server upgrade:
• During vCenter Server upgrade, the installer might notify you that administrator permissions are being deleted for users who the installer could not find. This is expected behavior if local OS users were not migrated during SSO installation.
• In where local OS users were the only administrators, the installer prompts you to provide a user or group to which vCenter Server administrator privileges will be assigned. Provide a valid user or group that vCenter Server can recognize. This will be the only user or group granted administrator permissions on vCenter Server. Connect to vCenter Server using this singleton user or any user from the group. After you log into vCenter Server, you can provide administrator access to other users.
• Do not use an administrator from a child domain during setup.
If you want to use the simple installation method, be aware that users and permissions carry over from your old vCenter Server to vCenter Server 5.1 only if SSO and vCenter Server can find the Local OS Users and AD Domains during the upgrade process. If you perform an in-place upgrade and plan to install vCenter Server with SSO and IS on the same machine your existing Local OS users will persist across upgrades.
Be aware of the following caveats when upgrading to vCenter Server 5.1.0a. These caveats have workarounds that you can apply if you encounter problems.
Dynamic Port support in Microsoft SQL Server
Microsoft SQL Server uses dynamic ports by default. SSO requires a fixed port to connect to SQL Server. Refer to the vSphere Installation and Setup Guide to configure SQL Server with static ports. If your datacenter policy requires dynamic ports, you can specify the port number during initial installation of SSO. If the port number may change after SQL server restarts, read KB2033516 to learn about resetting SSO to use the new port. SSO service dependency on MS SQL
When SSO is installed with local Microsoft SQL Server, the services must start in a specific order. SSO must start after SQL Server starts. If SSO starts before SQL Server starts, restart the SSO server after SQL server starts.
Authentication fails with nonstandard UPN using Windows authentication from the vSphere Web
Client or the vSphere Client. Use the original domain name when connecting to the vCenter
Server platform and authenticate with a valid user name and password. This issue impacts
customers who use smart cards to log into either client and who also use nonstandard UPN.
Short File Names
Ensure that short filenames are enabled on your Windows operating system before creating the
folder where you plan to install SSO. If you do not, SSO installation will fail.
vSphere Web Client might appear inaccessible or plugin modules might not be visible in
the vSphere Web Client
After updating the vCenter Server Appliance to 5.1.0a, the appliance does not prompt for reboot
or automatically reboot. When the vSphere Web Client is later updated with a newer version of a
vCenter Server plug-in module found on vCenter Server, the vSphere Web Client might appear
inaccessible or the new plug-in might not be visible in the vSphere Web Client. After updating the
vCenter Server Appliance or a vSphere Web Client plug-in, reboot the vCenter Server Appliance
to complete the process.