10 Responses

  1. Welcome to vSphere-land! » vSphere 5.5 Link-O-Rama

    […] vSphere 5.5 Improvements Part 7 – Single Sign On Completely Redesigned (Wahl Network) Using Active Directory Integrated Windows Authentication with SSO 5.5 (Wahl Network) What’s New in vCloud Suite 5.5: vCenter Server SSO […]

  2. Mike
    Mike at |

    Thanks Chris! Very well explained. Can’t wait to get my hands on 5.5

    The complexity (or annoyances) of SSO 5.1 with multiple vCenter instances stopped me from going to 5.1. Looks like this is a piece of cake now

  3. Adam Johnson
    Adam Johnson at |

    Good post, thanks! Just wanted to fill in a couple of things I didn’t figure out immediately. I ran into a few issues with this (mostly simple), and thought others might benefit from what I experienced.

    1. The SSO menu doesn’t show up in the web client until you set an Administrator password under SSO in the Admin portal and login as [email protected]. Logging in as root/vmware defaults will show no SSO in Administration page of web client. Didn’t realize there was a difference, wondered where SSO was…

    2. If you’re going to put your VCSA in a subdomain of active directory (i.e. subdomain.domain.com), make sure you name the hostname of the VCSA “hostname.subdomain.domain.com” before you join it to the domain. I noticed that the SPN in Active Directory does not change if you change the hostname of the VCSA after the join process, so you’ll have to undo the domain join on the VCSA, delete the computer object, rename the VCSA, regenerate the certificates, and then rejoin the domain. We were initially able to poll the directory and see AD accounts, but adding any AD accounts under Manage->Permissions would have no affect on the ability to log in until we recreated the AD authentication link with the new (correct) hostname.

    3. It seems like there’s some Domain Administrator inheritance at play, even for the VCSA. My DA account has permissions to login to vCenter, even though I’ve never assigned it any Permissions within vCenter. It can’t view any objects, but it can login to the Web Client, and C# client. Seems like some of that was touched on here too: KB 2059528. Didn’t think I’d see any of that on the VCSA, but DA’s do have login rights once you join a domain, if that inheritance is in your AD groups.

  4. adminafterwork.com | a blog about virtualization technologies, trends, training, certification, fun and much more. Blog of Tom Lüssi

    […] Here an example with of ad join. Please replace the bold entries with your environment values (My example: AD User= tladmin, AD User Password= password1234, Domain= truecore.lab). Restart the appliance afterwards and think about which kind of ad auth you would like to use. Here’s a good reading about from Chirs Wahl. […]

  5. Kerberos and NTLM Options for Integrated Windows Authentication iis 7.5 | DiscVentionsTech
  6. HOSTING IS LIFE!vCenter SSO 5.5: AD Group Membership Gotchya » HOSTING IS LIFE!

    […] While there has been a slight tweek in the UI, the setup process is the same except you now have an additional option to utilize AD with Integrated Windows Authentication, which is covered by @chriswahl in this blog post. […]

  7. Newsletter: January 18, 2014 | Notes from MWhite

    […] scale well, and is not as solid as the Integrated Windows Authentication option.  BTW, here is a link to a very good article on using the Integrated Windows Authentication […]

  8. Jason
    Jason at |

    What if you have 2 domain (A and B). Domain A trusts B but B does NOT trust A. vCenter SSO server is joined to domain A. I need to add Users from B to access vCenter. Would I create an SPN account on domain B so I can add users from domain B?


Share your point of view!