SSO

I just installed vSphere 5.5 in my lab. It was a fresh installation. Not an upgrade. My vCenter server was already in my domain and I expected to be able to log in with my domain administrator account. Unfortunately it was not the case. To solve the issue I wanted to log in with the vSphere Web Client to validate my permissions and that my domain vclass.local was an identity source. In vSphere 5.1 the SSO administrator was called [email protected] this is no longer the case. You need to log in with [email protected] and the password you defined under installation of the SSO server. When I logged in with this user I was able to configure my domain as an identity source and give access to my domain administrator to the vCenter Server.

You can access the vCenter Web Client on the following url: https://WEBCLIENTSERVER:9443/vsphere-client

Another thing I noticed was that the [email protected] was administrator on the vcenter. In 5.1 [email protected] did not have any vCenter permissions set.

Always remember. The only place to configure the SSO is through the Web Client. Luckily VMware really want to bring the attention out to the administrators. When you log in with your vSphere Client in a 5.5 environment you will be presented with the following warning

After upgrading to vSphere 5.1 or installing from scratch you may be in a situation where you cannot authenticate with your vCenter Server when using a domain user.

When you try to log in from the vSphere client you get the following error: Cannot complete login due to an incorrect user name or password

When you try to log in from the the vSphere Web Client you get the following error: Provided credentials are not valid

Prior to vSphere 5.1 and the Single Sign On Server SSO you were able to login directly with your domain user without supplying the domain name.

There are two solutions to the problem.

Solution 1:

When logging in with your domain account add the domain to the user name. You can do this by either writing: DOMAIN\USERNAME or [email protected] the result will be the same.

Perhaps you don’t feel this is the right solution for you. You may only have one domain so why should you always write the domain in the log in box. If this is the case see solution 2.

Solution 2:

What you are able to do with SSO and vSphere 5.1 is to add your DOMAIN to the default domain list. you can only accomplish this from the vSphere Web Client. What you need to do is log in to with the user name [email protected] and the password defined for this user during installation. Then you go to “Home” – “Administration” – “Single sign-on and discovery” – Configuration. In the identity source window you select your domain and press the “add to default domains” button. If your domain is not present, then you need to add it. You can also add multiple other domains. After adding the domain to the list you then make sure that it is on top of the list in the “Default domains” window. And at the end you press the “Save” button.

By doing this you should now be able to log in without supplying your domain name in the vSphere Client or vSphere Web Client.

SSO

How to log in to Single Sign ON SSO in vSphere 5.5

vCenter: Cannot complete login due to an incorrect user name or password