VMworld 2013: vSphere vCenter Single Sign-on Best Practices

vSphere vCenter Single Sign-on
Best Practices
Josh Gray, VMware
Justin King, VMware
Jonathan McDonald, VMware
VSVC5635
#VSVC5635

2
vSphere Deployment Best Practices – vCenter Server 5.1
 What is vCenter Single Sign-On
 vCenter Single Sign-On 5.1
• Architecture
• Deployment Configurations
• Database
• 5.1 Architectural References
• Single vCenter Server
• Multiple vCenter Servers (Local)
• Multiple vCenter Servers (Remote)
 Deployment Best Practices and Recommendations
• Deployment / Installation / Upgrading / Availability
 Challenges / Lesson Learned with Single Sign-On 5.1
 vCenter Single Sign-On 5.5 (NEW)
• What's New with vCenter Single Sign-On 5.5

3
• Architecture
• Database

4
What is: vCenter Single Sign-On Server
 Provides Secure Token Exchange
(SAML 2.0) between solutions
 When you access an SSO enabled
solution the solution will request an
extension to SAML 2.0 Token TTL
 First component to touch
(regardless or install/upgrade)
 Design before implementing!!
vCloud
Director
vCenter
vCO
vCenter Single
Sign On (SSO)
 Authentication Services for the vSphere Platform
 A component of vCenter Server
 vCenter Single Sign-On creates an authentication domain where
users are trusted to access available resources (vCenter etc)
• no longer log into vCenter directly*
 Multiple identity sources (Active Directory, OpenLDAP etc)

5
What Components Have Integrated With SSO?
Inventory
Service
Web Client
vCenter
SSO
VCO Log
Browser
VSM
VCD *
SRM
VCOPS
VDP
Others
Partners
2013
2014
* VCD is partially integrated with
SSO, only provider side logins
can be integrated with SSO

6
How Does vCenter Single Sign On Work?
AD
(Domain 1)
AD
(Domain 1)
Open
LDAP
Web Client
Login
(user, pswd)
1 Issue Token
(user, pswd)
2
Authenticate3
Token
4
vCenter 1 vCenter 2 VCO vShield
vCloud
Director
Login
(Token)
Login
(Token)
Login
(Token)
Login
(Token)
Login
(Token)
5 6 7 8 9
Local
OSvCenter Single Sign On
Data
OS
Authenticate
SSO users
3
Authenticate
Local OS users
3

7
vCenter Single Sign On Server
 Registry of Single Sign-On
enabled solutions
 One time manual registration of
vCenter 5.0 needed for discovery
by vSphere Web Client. (5.1 Only)
 Linked Mode required to
provided a single pane of glass
view across geographically
separate vCenter’s
 Linked Mode:
• Sharing of Permissions
• Sharing of Roles
• Sharing of Licenses

8
• Architecture
• Database

9
vCenter Single Sign-On 5.1 Configurations
Basic vCenter Single Sign-On
VC Database
SSO Database
vCenter Server Host or VM
vCenter
Server
Web Client
Inventory Svc
SSO Server
(Basic)
 Most common deployment option
(VMware recommended)
 This is a single standalone
instance of the SSO server that
supports the connectivity of
Active Directory, OpenLDAP, Local
Operating System and SSO
embedded users and groups
 This typically would be local to the
vCenter Server
 Used by the vCenter Server
Simple Install option
 Preinstalled with the vCenter
Server Appliance

10
Primary vCenter Single Sign-On
 Used for advanced configurations
• vCenter SSO High Availability
(SSO HA)
• Local Copy at Remote Sites (Multisite)
 Installable version of SSO (Windows
Only)
 Selected with the Individual Installer
 Supports the connectivity of
• Active Directory
• OpenLDAP
• SSO embedded users and groups
 Does not support the use of local
operating system user accounts
 Only one Primary node can exist in
a single SSO environment
Database
vCenter
Server
Web Client
Inventory Svc
SSO Server
(Primary)

11
vCenter Single Sign-On
HA Backup (SSO HA)
 Third Party Load Balancer +
configuration + Support
 Complex to setup
• Update SSL certificates
• Repointing of vCenter components
 No Protection of Shared Database
 Limited Functionality when failed over
• Administration lost
• No service restarts
 Availability – Same as vCenter Server
• vSphere HA, vCenter HeartbeatShared Database
Host or VM
SSO Server
(Primary)
Load Balancer
Host or VM
SSO Server
(HABackup)
 Provides failover of vCenter
SSO server
 Centralized vCenter SSO server for
multiple local vCenter Servers
 Select with the Individual InstallervCenter Server 2
vCenter
Server Web
Client
Inventory
Svc
vCenter Server 1
vCenter
Server Web
Client
Inventory
Svc

12
Local
Databases
vCenter Server
vCenter
Server
vCenter Server
vCenter
Server
Inventory Svc
vCenter Server
vCenter
Server
New York
Los Angeles
Miami
Multi Site
SSO Server
Web Client
Inventory Svc
Multi Site
SSO Server
Web Client
Inventory Svc
Primary
SSO Server
Web Client
Inventory Svc
vCenter Single Sign-On MultiSite
 Local Authentication
• Removes additional risk (WAN)
• Maintains same SSO security domain
 Required for Linked Mode
 Selected with the Individual Installer
 Does not provide site redundancy
 Manual Steps required to maintain
synchronization of SSO
users/groups/polices etc
1. Install Primary SSO in NY
2. Install IS, VC in NY
3. Install Multisite SSO in LA
4. Replicate SSO from NY to LA
5. Install IS, VC in LA
6. Replicate SSO in LA to NY
7. Repeat steps 3-6 for each site

13
vCenter Single Sign-On Database
1. vCenter Single Sign-On
• Hard naming requirements (RSA)
• Schema Scripts provided on ISO
• SQL Authentication required
• JDBC connection
Supported Databases
• Oracle
• Oracle 10g (rel2) / Oracle 11g (rel1-rel2)
• Microsoft SQL Server
• SQL Server 2005 (SP4) / 2008 (SP1-SP3) / 2008 R2 (SP1-SP2) / SQL Server 2012
• Embedded vPostgres (vCenter Appliance only)

15
• Architecture
• Database

16
Single vCenter Server Design Recommendation
VC Database
SSO Database
vCenter
Server
Basic SSO
Server
Web Client
Inventory Svc
Use Simple Installer
Installs / Upgrades core
components with a single
virtual machine
2. vCenter Inventory Service
3. vCenter Server
4. Additional install: vSphere Web Client
 No change to architecture
 All services are local
 Supports 1-1000 Hosts / 1-
10,000 Virtual Machines
 Distributed model adds
unnecessary complexity
and recovery challenges

17
Multiple Remote vCenter Server Design Recommendations
 Multiple single vCenter Server design
 Each site is independent
 No single pane of glass view
 Linked Mode
 Maintains single pane of glass
 Replicates Licenses, permissions and roles
 Availability
 vSphere HA
 vCenter Heartbeat
Local
Databases
vCenter Server
vCenter
Server
vCenter Server
vCenter
Server
Inventory Svc
vCenter Server
vCenter
Server
New York
Los Angeles
Miami
Multi Site
SSO Server
Web Client
Inventory Svc
Multi Site
SSO Server
Web Client
Inventory Svc
Primary
SSO Server
Web Client
Inventory Svc
vCenter Server
vCenter
Server
New York
vCenter Server
vCenter
Server
Miami
vCenter Server
vCenter
Server
Basic
SSO Server
Web Client
Inventory Svc
Los Angeles
Basic
SSO Server
Web Client
Inventory Svc
Basic
SSO Server
Web Client
Inventory Svc

18
Multiple Local vCenter Server Design Recommendations
 Centralized SSO authentication
• Same Physical location
• Metropolitan / College Campus
 Single Centralized vSphere Web Client
 Availability (Required)
• vSphere HA
• vCenter Heartbeat
Simple with full functionality
18
vCenter Server 2
vCenter
Server
Inventory Svc
Local SSO Database
Basic SSO
Server
Web Client
Database
Server
VCDB1,VCDB2,VCDB3
vCenter Server 2
vCenter
Server
Inventory Svc
vCenter Server 2
vCenter
Server
Inventory Svc

19
• Architecture
• Database

20
Common Issues – Login Problem / Failures
 Login problems are the primary problem we see with SSO
 Fall into several basic categories
• Login fails with an STS error:
• Common Causes/ troubleshooting:
• vCenter SSO Service is not accessible – check networking
• vCenter SSO Service is down – check services configuration
• If the service cannot start:
• Commonly it is database related – Check SQL connectivity and availability
• Validate that passwords have not expired or changed
• check imsTrace.log for errors relating

21
Common Issues – Login Problems / Failures (2)
• Login fails with credentials not valid error
• Common Causes
• Incorrect username or password specified
• Incorrect qualifying domain (@system-domain in this case) specified
• Password has expired – reset the password on the account.
• Account disabled or locked
• If none of these are working, check imsTrace.log to validate the error message for the
login

22
Common Issues – Login Problems / Failures (3)
• Login fails for admin@system-domain
• Similar to regular account failures.
• Use the following KB to reset or unlocked from the following KB:
Unlocking and resetting the vCenter Single Sign On (SSO) administrator password:
http://kb.vmware.com/kb/2034608
• Example command line usage from the KB:
• Always requires the master password. If lost, a reinstall is required.
• To change the master password the following command can be used:

23
Best Practices for Login Problems / Failures
 Ensure that SSO service is started and that other teams announce
any maintenance that is occurring
• Most problems that GSS sees here are related to service being inaccessible
• This includes Database and more importantly networking
 Always make sure that the admin@system-domain master
password is recorded
• This is the password which is set during the initial installation
• As long as you have the master password, there is a way to get into the
system
• Think of this password as one which is similar to an Active Directory recovery
password

24
Common Issues – Domain trusts
 5.1 GA, A, B – No domain trusts function.
• Many domain topologies exist
 VMware Development working to ensure
that all trusts are available and function
with SSO
 Cause:
• SSO 5.1.x uses LDAP binds rather than native
Windows API calls

25
Common issues - Permissions
 As long as authentication is successful permissions can cause
unexpected problems after login completes
 SSO administrator is admin@system-domain
 vCenter administrator is whatever is specified in the installer
• By default this will be the administrators group on the vCenter server
 If you don’t have permissions you may see:

26
Common issues – Permissions (2)
 Cause for this is that roles are by default separated
 vCenter log (vpxd.log) will show a vim.fault.NoPermission error
 Login with the appropriate administrator account and add
permissions if desired

27
Best Practices – Permissions
 Configure a domain group for access by default rather than a user
• This will ensure that many users have access rather than a single user
• Allows for other users to still login if an account is locked out inadvertently
 Be sure to note down the group that was configured as the
administrator access to vCenter during installation
• With the vCenter linux appliance root has access by default
 Add additional SSO administrators other than admin@system-
domain
• By adding separate users if an account expires, you can unlock the account by
logging in with another user account

28
Best Practice - Local OS Accounts
 Recommendation: Move the use of local OS accounts in vCenter to
SSO identity sources or embedded SSO user accounts
 Benefit: Depending on the architecture deployed the use of local OS
accounts will more than likely be unavailable to vCenter server
 Tip: Setup a local SSO group and add AD/SSO users and or groups
and apply vCenter permissions to the SSO group

29
Common Issues - Certificates
 Certificates are used for security for SSO
• All VMware components use certificates for communication
• If a certificate is invalid or expired, SSO will reject communication
• All services which are registered into SSO need a valid certificate
 Installs to vCenter 5.1, will fail if the certificate is invalid when
upgrading
• The following certificates need to be VALID to successfully upgrade to 5.1
• SSO
• Inventory Service
• vCenter
• More information on this in KB:
Upgrading to vCenter Server 5.1 fails with the error: Certificate already expired
(2035413)

30
Common Issues – Certificates (2)
 Replacing the certificates difficult due to the number of steps
 VMware engineering recognized the difficulty introduced and
released the SSL Certificate Automation Tool
• Automates the installation and configuration of new certificates
• KB to the tool:
Deploying and using the SSL Certificate Automation Tool (2041600)
 Not a certificate authority
• Will generate the certificates requests and install the resulting certificates
• Will not generate the certificate, admin has to get this from the CA still

31
Create SSO Database
 Recommendation: Create the SSO database prior to installation
 Benefit: You will be asked to connect to the database during SSO
install otherwise you will not be able to continue
 Tip: Use the scripts provided on the vCenter ISO, make sure you edit
them with database location and user account passwords before
executing

32
Configure SSO Before Upgrading vCenter Server
 Recommendation: When upgrading, install SSO then web client
before other components
 Benefit: This will allow you to preconfigure the identity sources prior to
vCenter upgrade and eliminate any login risks post install
 Tip: Add a domain user as an SSO
admin, log out and in as the user to
confirm configuration before proceeding

33
vCenter Server – Availability
 Recommendation: Protect the vCenter Suite, not individual
components
 Benefit: If high availability is desired use a solution that protects all
components to maintain dependencies
 Tip: vSphere HA and vCenter Heartbeat can protect all components
whether distributed or local with same license. vDP 5.5 also restores
without vCenter and also can be used

34
• Architecture
• Database

35
Challenges with vCenter Single Sign-On 5.1
 Active Directory Integration
• Does not work effectively in multi-forest / trusted domain
environments
• Does not scale in environments with 15K or greater users
• Administration is limited
 Certificates
• SSL communications challenging
• Difficult to change / update
 Installation
• Database requirements / security concerns
• Many installable configurations
• Difficult to change / reconfigure post install
• Complex
 Diagnostics
• Troubleshooting tools – non existent

36
• Architecture
• Database

37
What's New with vCenter Single Sign-On 5.5 (in short)
 Improved architecture
• Multi-master
• Built-in replication
• Site awareness
• Multi Tenant
 Database
• There is no Database!
 Installation
• One simplified deployment model
• Select vCenter Single Sign-On for the first or an additional vCenter Server
 Diagnostics
• Full suite of diagnostic / Troubleshooting tools
vCenter Server
vCenter
Server
vCenter Server
vCenter
Server
vCenter Server
vCenter
Server
Web Client
Inventory Svc
vCenter Single Sign-On 5.5
Web Client
Inventory Svc
Web Client
Inventory Svc
SSO Site 1 SSO Site 2

38
vCenter Single Sign-On 5.5 - Installation
 Prerequisites
• Hostname has a FQDN an
is DNS resolvable (forward/reverse)
• Joined to an Active Directory domain
(if integrating with Active Directory)
• Windows 2008 x64 SP2 or higher
(or use vCenter Appliance)

39
vCenter Single Sign-On 5.5 - Installation
 Simple Installer
• single vCenter Server environments
 Individual installer
• multiple vCenter servers and / or advanced configurations
 Installer Steps
1. Accept License agreement (EULA)
2. Prerequisite check summary
3. Edit default port number 7444 (if necessary)
4. Select Deployment placement
5. Provide Administrator@vsphere.local password
6. Provide a site name or select a previous site name
7. Edit destination directory (if necessary)
8. Summary
9. Installation Complete
 Upgrading?
admin@system-domain?
Account becomes an alias of
administrator@vsphere.local

40
Supports Upgrade of all vCenter 5.1 configurations
Previous vCenter Single Sign-On 5.1 deployment models
• Fully Maintained via Upgrade
• Basic
• Single Sign-On High Availability
• Single Sign-On Multisite
New recommendations with vSphere 5.5
• Take advantage of new technology
• Single virtual machine for all vCenter components**
• Distributed virtual machines add complexity
• Availability / Backup & Restore
• Management
• Easily migrate to new recommendations during upgrade
** Enterprise customers with 6 or more local vCenter servers can use a centralized instance

41
Types of Identity Sources
What is an identity source?
An external domain or repository of users and groups
Identity Sources supported with 5.5
1. Native Active Directory (Recommended)
• Uses kerberos via machine account or SPN (Load Balancer)
2. Active Directory as an LDAP server
• This was done for backward compatibility to 5.1
• Not likely to be supported post 5.5
• Same limitations as in 5.1
3. OpenLDAP
4. Local Operating System
5. Single Sign-On
Configuring your VC Server
When you configure your VC Server,
make sure to set the VC Administrator as
administrator@vsphere.local. DO NOT
SET THE VC Administrator to be a Local
OS account.

42
Diagnostics
 vCenter Single Sign-On 5.5 Diagnostic Tools
 Perform all administration and reconfiguration from MMC Snap in
• vCenter Single Sign-On services need to be running
 KB to troubleshoot startup issues
 Separate download
• So we can update independently and add exciting new features

43
Replication
 Builtin Replication
• Between each Single Sign-On server deployed in the same vSphere
authentication domain
 Replication Partners
• Review / Add / Remove / Edit
 Geographically Separated Single Sign-On sites
• Reduce overhead
• Provide Redundancy Links

44
Backup / Restore / Availability
 Backup / Restore
• Virtual Machine**
• Snapshot
• Tape / Disk
• vDP (now supports host level restore)
• Application (KB with GA)
• Registry Keys
• SSL Certificates (tcserver)
• Certificate server
• KDC
• VMDir (vdcbackup)
 Availability of vCenter Single Sign-On server
• No different to vCenter
• Why? vCenter is the primary resident of the Single Sign-On server
• vSphere HA, vCenter Heartbeat
**Additional step required when multiple SSO instances are configured

45
The log files provided by Single Sign On includes:
 vminst.log: Single Sign On installer log
 vim-sso-msi.log: MSI installer verbose logs for Single Sign On installation
 vim_ssoreg.log: Single Sign On Lookup Service log
 exported_sso.properties: Endpoint information about each of the Single Sign On Solution Users and
identity sources extracted from previous vCenter Single Sign On 5.1.0 instance
 vim-openssl-msi.log: MSI installer verbose log for OpenSSL installation
 vim-python-msi.log: MSI installer verbose log for Python installation
 vim-kfw-msi.log: MSI installer verbose log for MIT Kerberos installation
Single Sign On logs are grouped by component and purpose:
 vmdirdvdcpromo.log: Promotion and demotion operation information for the Single Sign On instance
when joined or removed from a linked configurations
 vmdirdvdcsetupIdu.log: VMware Directory Service setup post-installation log containing information
about the localhost name
 vmdirdvmdir.log: Health reports for the VMware Directory Service service and the Lotus VMDir
database
 vmkdcdvmkdcd.log: Key Distribution Center (kdc) run-time log, reports ports conflicts preventing the
service from starting
 vmware-ssovmware-sts-idmd.log: VMware Identity Management service run-time logs, time-
stamped records of user attempts when accessing Single Sign On for administrative purposes
 vmware-ssovmware-sts.ldmd-perf.log: VMware Identity Management service performance counter
logs
 vmware-ssoVMwareIdentityMgmtService.<date>.log: Commons Daemon log once the Identity
Management Service has started

46
Additional Information
 Deprecated Functionality
• NIS Identity Source
• More than one default domain per Identity Provider
• SMTP configuration and notification for password expiration by mail
 TCP Ports Used by SSO
• 2012 Control interface RPC for VMDirectory
• 88, 2013 Control interface RPC for the Kerberos
• 2014 RPC port for all VMCA APIs
• 7444 vCenter Single Sign On - HTTPS
• 11711 vCenter Single Sign On - LDAP
• 11712 vCenter Single Sign On - LDAPS
• 12721 VMware Identity Mgmt Service

47
Single vCenter Server 5.5 Design Recommendation
VC Database
vCenter
Server
SSO
Server
Web Client
Inventory Svc
Use Simple Installer
Installs / Upgrades core
components with a single
virtual machine
2. vSphere Web Client
3. vCenter Inventory Service
4. vCenter Server
 No change to architecture
 All services are local
 Supports 1-1000 Hosts / 1-
10,000 Virtual Machines

48
Multiple vCenter Server 5.5 (Remote) Design Recommendation
By Default
 Each site is independent
 Does not provide a single pane of glass view
 SSO automated replication
 SSO Users & Groups
 SSO Policies
 Identity sources
 Site awareness
 Linked Mode
 Maintains single pane of glass
 Replicates Licenses, permissions and roles
 Availability
 vSphere HA
 vCenter Heartbeat
vCenter Server
vCenter
Server
New York
vCenter Server
vCenter
Server
Miami
vCenter Server
vCenter
Server
Web Client
Inventory Svc
SSO Server – vsphere.local
Los Angeles
Web Client
Inventory Svc
Web Client
Inventory Svc
SSO Site 1 SSO Site 2 SSO Site 3
Single SSO Authentication Domain

49
SSO
Server
Web Client
Multiple vCenter Server 5.5 (Local) Design Recommendations
A Datacenter with 6 or more vCenter Servers
 Centralized SSO authentication
• Same Physical location
 Single Centralized vSphere Web Client
 Availability (Required)
• vSphere HA
• vCenter Heartbeat
• Network Load Balancer
49
vCenter Server 2
vCenter
Server 5.5
Inventory Svc
SSO
Server
Web Client
Database
Server
VCDB1,VCDB2,VCDB3
vCenter Server 3
vCenter
Server 5.5
Inventory Svc
vCenter Server 1
vCenter
Server 5.1
Inventory Svc
Backwards compatible to vCenter Server 5.1

50
The Possibilities are Endless…
50
New York
Los Angeles
Miami

51
Thank You
Stay up to date with vCenter Server
http://blogs.vmware.com/vsphere/
@vCenterGuy @jasper9

VMworld 2013: vSphere vCenter Single Sign-on Best Practices

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a VMworld 2013: vSphere vCenter Single Sign-on Best Practices

Similar a VMworld 2013: vSphere vCenter Single Sign-on Best Practices (20)

Más de VMworld

Más de VMworld (20)

Último

Último (20)

VMworld 2013: vSphere vCenter Single Sign-on Best Practices