Home > Blogs > VMware vSphere Blog


Allow me to introduce you to vCenter Single Sign-On 5.5

With the announcement at VMworld on the upcoming vSphere 5.5 release, one area that I have been greatly involved with (hence why I have been in stealth mode), has been the new and improved vCenter Single Sign-On. You may still say why do we need it? and why change something that wasn’t broke to begin with! but hang in there and let me highlight the changes and the benefits you will see as you begin to look at vCenter Server 5.5.

With the new release, this shows we heard you loud and clear! vCenter Single Sign-On 5.1 at release lacked some expected functionality (limited Active Directory integration), complex to manage (SSL Certificates) as well as lack of guidance on how to best deploy vCenter Single Sign-On. Not to knock the current version with vCenter Server 5.1 Update 1b which is now a very stable platform to build on and guidance available via a recent deployment whitepaper, vCenter Single Sign-On 5.5 builds on these challenges and now provides a rich and fully capable vSphere authentication experience with much of the complexity removed.

Architecture

vCenter Single SIgn-On 5.5 has been rewritten from the ground up to provide the level of service expected from a VMware product. The new architecture is based on a multi-master model where each instance is automatically kept up to date with it peers via builtin replication. You can create sites to provide logical groupings of registered resources that maybe geographical or organizational separate as well as support for multiple tenants.

Database
Well that’s easy, we have removed the dependency on an external database completely. The multi-master architecture now provides the necessary storage for the vCenter Single Sign-On configuration as well any embedded users and groups defined.

 

Certificates
While the same concept from vCenter Server 5.1 has been maintained in vCenter Server 5.5, the vCenter Certificate Automation tool has been updated to support vCenter Server 5.5. If you are required to update certificates, simply create or obtain the new certificates and the tool will update the various vCenter Server components for you.

 

Installation
We can all agree to banging our heads on the best way to deploy vCenter Single Sign-On and with vSphere 5.5, vCenter Single Sign-On is now a simple single deployment model where the only decision is based on placement being the first vCenter Single Sign-On deployment or an additional vCenter Single deployment for an additional vCenter Server. Although we support the in-place upgrade of previous vCenter Single Sign-On 5.1 configurations, the updated architecture really benefits being local to vCenter Server, the terminology of Single Sign-On High Availability and Multisite have now merged into the single deployment option.

 

Troubleshooting and Diagnostics
In vCenter Single Sign-On little was to be said about the support tools to aid with diagnosing issues and troubleshooting authentications. With the general release of vCenter Server 5.5 and vCenter Single Sign-On 5.5 we are supplying a suite of tools that allow you to view your entire vCenter Single Sign-On configuration and make changes when necessary.

For example I may need to change the replication between many vCenter Single Sign-On instances or review certificates used by vCenter Single Sign-On.

All of these advanced or one time administration tasks are now possible with the tools being provided but remember the typical day to day administration tasks are best handled by the vSphere Web client 5.5. The best part of using these tools is there no longer is a notion of the master password which frustrated many with vCenter Single Sign-On 5.1, a vCenter Single Sign-On administrator has full functionality with no hidden extras.

 

I have plenty of great information to share with you on vCenter Single Sign-On so stay tuned for updates

 

46 thoughts on “Allow me to introduce you to vCenter Single Sign-On 5.5

  1. The FluffyAdmin

    A very welcome change! We ran into the AD cross-forest limitation and have been waiting for an update. I am also very glad to see the database vanish. Preparing that database and the users (and the bizarre limitation that they could not be domain users and other constraints) was a real pain. So glad you have smoothed that all out. Looking forward to upgrading.

    Reply
  2. papavm

    Nice to hear all the new features that’s in the pipe. When can we see this in action? Looks good in paper. Would like to try the certificate automation tool.

    Reply
  3. John

    I am sorry i disagree….. This is not a nice feature and the one major feature that was left out was to OPT out of SSO to begin with. This is a sudo AD implementation that is not needed in MOST environments. Why do i need to create a directory for security if i already have one that maintains my current environment. This is great if you have nothing to begin with or you are not a Windows shop. However if i have AD implemented why do i need to maintain, troubleshoot and figure out how or when to upgrade SSO. Most companies already have a security model and VMWare needed to integrate into it better for easier management within the vsphere product line. This just complicates the environment with NO benefit. VMWare left out the biggest and best feature…. To not install it to begin with. I am a full VMWare shop but HyperV is looking better and better to me each time VMWare comes out with something New and Great for me….

    Reply
    1. Justin KingJustin King Post author

      Sorry John that you disagree, your welcome to your opinions but i need to correct some of your facts. To be able to use technologies like AD we need to have a way to interact with vSphere and SSO provides the necessary connectivity. This is not a replacement for AD or a directory of security, all SSO provides is the connectivity of users/groups from external identity sources like AD, (yes we do have customers with non AD environments). Roles and permissions are controlled as they were before SSO at the solution level. The improved architecture and installer is really simple and we have removed all the complexity found with SSO 5.1 to where you no longer need to worry about the configuration or upgrade process

      Reply
      1. Jeeves

        I think what John is trying to say is that AD was being used with vCenter Server prior to SSO. Not quite as flexible, but it worked fine. Web client could have used same type of AD integration as vSphere client. At least as an installation option that user can choose instead of more sophisticated authentication architecture using SSO. It is always a good idea to giver users choice rather than forcing. Anyway, it is history now. With streamlining of installation process in 5.5 fewer people will complain about not having choice.

        Reply
  4. Dave

    Great to hear of all the new updates and ease of deployment. The next big question is when is it expected to be available to download so we can start labing the product? Any ETAs?

    Reply
  5. Xterm

    Glad to see these changes comming. You will have to admit that SSO 5.1 was a real shame for VMware. A very confusing architecture and obscure tool relying on an external database it really did not need and with manual and cumbersome sync. It could be something technically good, but it was operationally useless. Unfortunately companies have mediocre people operating the systems everyday, SSO was not up to them.

    Reply
  6. Orange

    Sorry Justin – I am with John. A feature that has caused us so much heartache we rolled back to 5.0 U2. I too am looking at Hyper-V as the new features of vSphere offer little but added complexity for minimal gain.

    Reply
  7. VMAdmin

    What sort of time frame are we looking at for this to become available? Days, weeks, months? I have projects that need to begin and at the moment I have to either wait for this or go with Hyper-V, we have both but the new VMware setup is not yet ready. If this is coming soon I can convince people to hang on, if not the Hyper-V it is.

    Reply
  8. papavm

    I completely agree with couple of comments above. There should have been an option to opt out of SSO. we are happily running 5.0U2 and decided not to upgrade to 5.1 just reading the nightmare on SSO 5.1. Glad that we decided not to upgrade. A shop where only vCenter is in use, SSO doesn’t add any functionality, just headache of managing one more piece of software. Yes, we are investigating Hyper-V as well.

    Reply
  9. Seamus OBrien

    I have had loads of issues with SSO especially when I have tried to replace the certs with external ones. The instructions are complex and the issues I am facing make me look stupid in front of my clients. The cert automation tool did not work. I will never understand why sso was not made an optional install.

    Reply
  10. Pingback: Welcome to vSphere-land! » vSphere 5.5 Link-O-Rama

        1. March

          Windy,
          If you’re in a rush to make a decision, I don’t know why you have a decision to make.
          Hyper-V is cheaper, and MS will always find ways to improve it to the point where it comes close to vSphere. If the feature set of Hyper-V satisfies your requirements, then sure, maybe Hyper-V is right for you.
          But you better look very hard at the features you need. There’s a reason that vSphere is the leader. It costs more, but there’s a million reasons that companies choose it over Hyper-V.

          Also, I don’t quite understand all the gripe about SSO. I upgraded our infrastructure from 4.1->5 then 5->5.1, and SSO was annoying, but it has forward-thinking that is key to it. Not like SSO is some enormous component that is unwieldy or something…

          Reply
  11. Scott Gottesman

    I know everyone is asking like little kids going to Disney world “when when when” is the product being released. I would like to know when manual and a design white papers are going to be release? before I even think of doing the actual installation, we need to better understand the design requirements. once bit, twice shy.

    Reply
  12. Matt R

    Great to see a rebuilt SSO for vCenter 5.5. The SSO service with 5.1 should not have been released for primetime and was the sole reason we never used 5.1 outside of a test environment.

    Reply
  13. Mordock

    Is there documentation anywhere on doing a scripted install of SSO 5.5. I was able to get the beta/rc to install using the .exe. But the .exe is not in the RTM version, only an .msi and it does not seem to work the same as the earlier .exe file. It seems to be failing with a 1920 error starting the VMWareDirectoryService starting the rollback and then finally errors out with a 1603 error.

    It does seem strange that every other component of vCenter 5.5 is installed with an exe, but SSO only has an .msi file on the distribution CD.

    Reply
    1. Mordock

      Finally determined that every one of the 7 apps in the prerequisites folder within the Single Sign-on folder have to be installed individually before doing the .msi install of Single Sign-on. The .exe in the beta/RC did these for you as does the GUI based install. Never a dull moment.

      Now if only someone would tell me how to script adding the identity source to the domain and I will be a happy camper. The VMware FAQ says you can’t script Identity Sources. Somehow I don’t believe that. I can’t see them adding them manually after every daily build during development of the products. I am almost ready to start reverse engineering their Java code to figure it out.

      Reply
        1. Mordock

          your email address isn’t here, so I had to guess, I also sent you a friend request with my email from Linked-in. David

          Reply
  14. Ron

    So far so good.. I still have a gripe about the GUI configuration interface. Regarding the AD Authentication tab. It would be a simple thing to add some verbage on this tab to say that you are joining the appliance to AD. Thus is you have policies like we do that require computer objects to be created first prior to joining, you’ll tear less hair.

    Reply
  15. Hollister

    Won’t be futile cotton-canvas sacks depart, this game is resplendent, proper? Virtually all brands which often look to hard work the specific non-leather voodoo their homeowners do the work offering hand bags which happens to be obnoxiously boring or perhaps enormously fast; remaking gorgeous home owner and all sorts of it truly is signature important information with the metal can be described as feature large significance observing. Equally sincerely worth stating certainly is the affordability: $1550, which is to be, in truth, a substantial amount of finances for just a material bag, might be their own cut near set properly as whether or not it has been attached all together because of the easily magic elves about Celine.Quite, I actually simply cannot aid to still get curious. Celine cost is notoriously difficult to come up with, sadly my studies show certain skin style for this carrier could possibly be a $2600, if not more. Mainly because, the $1550 charge represents an enormous selling price tag price, do not its always fairly extremely high. At least, Celine is ample follow mainly because site visitors to listen to that people don’t do a substandard products for a $200 reduction.I could see browsing this key fact box should i were initially generously successful that will create the handbag outfit i’d been needing; itd continually be exhilarating that will help celebration it’s inside of the island clubhouse for your season and also two, therefore youre looking intended for living long (cost-effective a particular designer handbag this will stand against smudges and colors stickers much better), Id badges yet advise a sensible and / or maybe Phantom Luggage in a different way because black color neutral. Save the price, itll turn into more than worth it over the years. Things assume your site?

    Reply
  16. trinidaduyyy.newsvine.com

    According to the survey, China has more than 150 million professional
    beauty institutions, but too closse the closure oof one third
    each year more than. Always apply a heat protectant
    sptay to your hair before using a curling iron, flat
    iron or hair dryer. In fact look around and you will see several
    successful business ideas already operational as franchises
    in thee market place and all you neewd to do iss to sign the franchise agreement and get started,
    instead of searching 101 vendors, suppliers,
    how to do’s, etc.

    Reply
  17. forbsy

    Hi. Am I able to change the SSO deployment mode post install? I recently installed vCenter Server 5.5 at two sites. I installed each site with the vCenter SSO for your First Site deployment option.

    I’ve since learned that I will be deploying SRM between these 2 sites. I would like to change the SSO deployment model on my secondary site to vCenter SSO for an additional vCenter Server with a new Site option. Is this possible? How do I go about that?

    Thanks

    Reply
  18. Flappy Bird Cheat

    Definitely believe that which you stated. Your favorite justification seemed to be on
    the web the simplest factor to take into accout of.
    I say to you, I certainly get annoyed at the
    same time as folks consider issues that they plainly don’t understand
    about. You controlled to hit the nail upon the highest as well as
    outlined out the entire thing without having side-effects
    , folks can take a signal. Will likely be again to get more.
    Thanks

    Review my blog post: Flappy Bird Cheat

    Reply
  19. Mark

    Where can I find the SSO Diagnostic & Troubleshooting Tools? 5.5 has been out for months and I have been searching and only find mentions that they are great (or will be great) but can’t find the download for them.

    Reply
  20. Pingback: VMware Link Collection | Life

  21. SE

    On the original topic of this thread “vCenter Single Sign-On 5.5″

    First off, I love my 2 ESXi 5.5U2 servers. Beyond the poorly documented (and time-wasting) USB chipset issues of installing FROM and TO a USB drive, ESXi server simply works, and it works so well. What an impressive piece of technology. The HyperVisor is awesome! I have been touting it for over a year. Basic management with the vSphere Client (the .NET app) could be taught to a 10-year-old. But I wanted a little more. Oh boy…

    While the software SKU’s are very confusing, I took the risk and bought Essentials (3 servers, 2 CPUs each). I wanted to unlock the API’s on my 2 ESXi 5.5U2 (free) hosts to use Veeam, etc. I was able to do that. The license took just fine and all seems well.

    After that I started on my mission to get this long-talked-about WebClient installed. Everyone talks about it, yet I have never seen this app running. Wow, what a nightmare. I felt just like I did when I first used Oracle 10 years ago, what a giant disorganized/scattered mess.

    So to get this WebClient working (I hear rumors that the .NET vSphere client is going away?), I have to install this SSO (Single Sign-On) layer installed. What is SSO? And why would I need it? Yes, I have to install this scattered nightmare of OpenSource/Linux/MS patchwork to get this WebClient to run to (supposedly better) manage my 2 ESXi 5.5U2 hosts. If I produced an installer that behaved like this, my customers would fire me.

    The ISO package I tried is “VMware-VIMSetup-all-5.5.0-2183112-20140901-update02″.

    I tried the “Simple Install” (funny) and of course I got what seems to be the 100% roadblock that most every user hits (unless you are a VMW certified genius). The SSO install fails (well you don’t really know that it is SOO as the message is vague). I tried the standalone install of SSO (as a guess), and I get the same result.

    Here’s an idea, when close to 100 out of 100 users hit the error, it is NOT a user error! I got the error that most every non-seasoned-VMW user gets, “There is a problem with this Windows installer package”. Actually there is no problem with the “Windows installer package”, the package is fine, the scattered mess known as SSO (a VMW child) is where the problem lies.

    VMWare’s own posting say this:
    “This is a known issue affecting vCenter Server 5.5. Currently, there is no resolution.”

    Now that is comforting. Everyone will be opening their wallets to buy entry-level licenses with this as one of their first finds after hitting the big install hurdle. Of course VMW is not going to make much on Essentials, nobody expects that, but there has to be a farm system to get people interested and pushing the technology to us mere mortals, so we can eventually evangelize to everyone about how awesome VMWare/ESXi is.

    Based on my reading of posts…
    So let me get this right, I need to become VMW certified in my spare time (I work 50-60 hours a week as a software developer) and install a bunch of prerequisites (MSSQL, OpenSSL, Python and certificates) to simply manage my 2 ESXi hosts in my home lab, or go spend $50K of consulting to get others to do this? This is nuts.

    I have given up on the VMW/Linux culture of scattered thinking, lack of attention to details and even worse usability. MS will greatly appreciate this kind of mess and if VMW/ESXi v6 doesn’t clean it up, then all but the very high-end very high-dollar virtualization market will go to MS – perhaps VMW is fine with that, it is their choice, this is just my opinion, and I can be told to just go away. Perhaps everyone is fine with MS taking the mid and bottom and VMW taking the upper-end. Yes, MS is not there, and they won’t be for a long time, VMW owns the enterprise market, I agree….and IBM owned the hardware and software market for a long time.

    Paid for VMW is giant mess unless you have lots of $ ready for the work-arounds and configuration. Perhaps something magical will happen with ESXi v6 but I don’t expect this to really pan out (usability cultures don’t change overnight). I will use my simple entry-level VMW Essentials purchase to have the unlocked APIs (for Veeam, etc.) but other than that, Essentials is worthless, to me and my 15 VMs, and it is not even possible to use it as s a doorstop! :) I can continue manage simpleton VMs manually. I do wonder what v6 will force people to do as the vSpehre .NET Client is said to be going away (of course there is no one word on this topic, scattered thoughts from many directions). Is the plan to lockout free ESXi 5.5 users? If so, others will be glad to take the business.

    In closing, it is actually somewhat comical to think that someone would pay $260/$560 for Essentials to enter into paid VMW and then spend big $ in VMW consultant fees to get it all working (one has to assume that they know all of the work-arounds for this vCenter install mess). What a mess VMW has created with SSO and the WebClient (no plug-and-play Lego blocks here, just a big hammer to swing at something). I sincerely do hope that VMW gets their act together in v6, I truly do. If they don’t, MS will gladly get it together. Small business needs a solution for virtualization and at this time, IMO, VMW just can’t deliver the management of their awesome ESXi 5.5 hypervisor.

    If you think I am an outlying rare case, perhaps that is the case, and that is fine, and so then I guess all will be fine and VMW v6 will crop up everywhere on Main Street, everyone singing praises. But I will bet anyone, that my assumption holds up: that I can take 10 $100K+ a year IT workers, that do not have VMW experience, and put VMWare Essentials in front of them, and few if any of them will get ESXi 5.5U2 and vCenter/WebClient to work within 50 hours. Assuming that I am right with that, this does mean something, and it doesn’t good.

    Best wishes

    Reply
  22. Aziz

    I have a question.

    Since the external database has been removed and directory store has been introduce, what is the location of the directory store files?

    Reply
  23. fonebargains.com

    I think everything published made a bunch of sense. However, consider this, suppose you wrote a catchier title?
    I ain’t saying your information is not solid, but suppose you added something that grabbed folk’s attention? I mean Allow me to introduce you to vCenter Single Sign-On 5.5 | VMware vSphere Blog – VMware Blogs is
    kinda plain. You ought to peek at Yahoo’s front page
    and watch how they create news headlines to grab people to click.

    You might try adding a video or a pic or two to get people interested about everything’ve written. Just my opinion, it might make your posts a little bit more interesting.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>