The installation of vSphere vCenter Sign-On is a relatively a straight forward process when planned correctly and as there are many factors of the environment that the installation process will touch, it is important to review the vCenter Single Sign-On Server prerequisites prior to deployment, preferably during the initial design phase. It is important to note that the vCenter Single Sign-On server is the first component to be installed prior to vCenter Server install or upgrade.
Active Directory Requirements
When using the Microsoft Server operating system, much of the vCenter Single Sign-On Server configuration is automated during the installation and so making sure that the correct access to the identity source (Active Directory domain) of the vCenter Server is critical in the success of this operation.
The vCenter Single Sign-On server requires its time to be synchronized with an Active Directory domain controller.
Domain Name Servers (DNS) provide Forward and Reverse lookup resolution for the Active Directory Domain Controller(s) that the vCenter Single Sign-On Server will connect too.
vCenter Single Sign-On Server needs to check whether Active Directory utilizes secure LDAP connectivity. If your Active Directory requires SSL you will need to confirm that you have no expired certificates within the Active Directory or vCenter Server environment. If expired SSL certificates are queried this will prevent the auto discovery from completing and could lock you out of accessing vCenter Server. Refer to KB 2034833: Implementing CA signed SSL certificates with vSphere 5.1
The Machine account used for installing and configuring the vCenter Single Sign-On Server has Active Directory Read Only permissions to view User account and Group membership properties (default policy setting for domain member machines)
The User or Service Account used to install vCenter Single Sign-On Server is recommended to be an Active Directory member with Local Operating System Administrator privileges.
Domain rules should allow for the firewall settings on the Active Directory Domain Controller to allow access on ports 389 (plain Ldap), 636 (SSL Ldap), 3268 (plain Global catalog interface), 3269 (SSL GC).
vCenter Server Users and Permissions Requirements
It is important to know where your vCenter Server user and groups reside within your environment prior to installing vCenter Single Sign-On server.
Identify vCenter Server Domain and Local Users
The use of vCenter Server local operating system user accounts (ie: hostnameAdministrator) is only possible if also local to the vCenter Single Sign-On Server. If vCenter Single Sign-On server is installed separate to vCenter Server these local operating system users local to vCenter Server will be unavailable. It is recommended to remove local operating system users within vCenter Server and reconfigure them as vCenter Single Sign-On server defined users post installation of the vCenter Single Sign-On server.
Identify Cross Domain Users with vCenter permissions
With vCenter Single Sign-On and multiple domains within a trusted Active Directory forest there will be challenges when authenticating users across trusted domains that are not directly attached to vCenter Single Sign-On. It is recommended to identify all trusted domain in vCenter Server and add each users domain as a separate vCenter Single Sign-On identity source regardless of Active Directory trusts that exist. Do not use cross-domain membership.
SSL Certificates
If your organization requires the use of self signed or the ability to use self generated SSL certificates to further secure communications with vCenter Single Sign-On Server, the process for changing this can be found here and should be reviewed prior to install.
vCenter Single Sign-On server can only communicate with a database via servername and port number, named instances of SQL Server will use dynamic ports for communication which currently vCenter Single Sign-On server does not support.
vCenter Single Sign-On server requires Microsoft SQL Server to be in mixed mode for authentication for installation (Windows and SQL authentication).
Prior to installing vCenter Single Sign-On server, create the vCenter Single Sign-On server database VMware has provided example scripts that can be found in located on the vCenter ISO.For Example: To use MS SQL Server you will want to run the following scripts to create and populate the database.
<CDROM>Single Sign-OnDBScriptsSSOServerSQLServerrsaIMSLiteMSSQLSetupTablespaces.sql
<CDROM>Single Sign-OnDBScriptsSSOServerSQLServerrsaIMSLiteMSSQLSetupUsers.sql
Note: The included scripts are to guide you through the process however they will need editing to meet the password and location requirements of your organization.
vCenter Single Sign-On server requires a JDBC connection and as its database communication and will require TCP/IP on the Microsoft SQL Server to be enabled.
Single Sign-On Requirements
During the installation you will be required to set a password for the admin@system-domain admin account. The password cannot include any of the following characters
^ (circumflex)
* (asterisk)
$ (dollar)
; (semicolon)
” (double quote)
) (right parenthesis)
< (less than)
> (greater than)
& (ampersand)
| (pipe)
In some cases a trailing ” ” space will also cause this issue
this password is also used to set the SSO Master password (not the same as admin@system-domain) and should be recorded in case of use later (eg: recovery) when the password will be required.
All these recommendations are correct at time of writing with vCenter Server 5.1.0B release. The VMware labs (labs.vmware.com) has just released a vCenter 5.1 Pre-Install Check Script that will check the above requirements for you. Thanks to Alan Renouf for providing this.
