Multiple vCSAs with external SSO linked on single Web Client (v5.5)
Building on my previous post about Adding Multiple vCenters onto a Single Web Client which was primarily designed for v5.1 of vSphere, I felt that we could take this a step further with a real world solution designed on v5.5.
The Scenario
So, the scenario is this… the customer has two data centers, which are at different ends of the UK. They will be using SRM to provide Disaster Recovery services at the 2nd data center, and therefore will require two vCenter servers. With the release of v5.5, they realise that they do not need to have a Windows based installation of vCenter, due to the size of their environment and would like to use vCenter Server Appliances (vCSAs) for their vCenters. Obviously, they understand some of the limitations and that they will require Windows servers for SRM and some other features, but reducing the Windows license count fits with their cost saving model. To make life easier, they would like to utilise the same SSO environment for AD authentication into the environment but also be able to see both vCSAs from a connection to a single Web Client.
Points to Consider
So… this looks quite straightforward, although the capability of utilising the same SSO environment with two vCSAs is not supported directly on the vCSAs. I therefore think that we should utilise an external SSO link that will see each vCSA connect to their own SSO server, which are joined using the distributed SSO features found in v5.5. The down side to this is that this will require an additional Windows server per vCSA for the SSO server.
SSO
- Start with building a new Windows server at each site
- Present the vCenter Server ISO to the Windows Server and begin the installation
- Select the option to install individual components, and select the Single Sign-On option
- Begin the installation of Single Sign-On
- You’ll be asked to accept the license agreement before clicking ‘Next’
- The installer will now perform a Prerequisite check on the server, click ‘Next’ once this is completed.
- You are now presented with three options on how to install the Single Sign-On server. On the first site, select the first option ‘vCenter Single Sign-On for your first vCenter Server’ (on the second site you would actually select the second option ‘vCenter Single Sign-On for an additional vCenter Server in an existing site’, this will allow both vCenters to access to the same LookupService information). The second site steps will be straightforward after performing the first site steps and therefore these are not listed.
- Click ‘Next’ to continue
- Create a complex password for the ‘Administrator’ account for the vSphere.local domain. Once created, confirm the password and then click ‘Next’ to continue
- You should now enter a suitable name for the Site – this name will be used across both sites in our design and therefore a suitable name that can will be seen on both sites should be used. Click ‘Next’ once complete
- Keep the default HTTPS port for the installation and click ‘Next’
- Choose the location to install the software to and then click ‘Next’
- You are now asked to confirm the settings before clicking ‘Install’ to begin the actual installation
- The installation will take 5-10 minutes, click ‘Finish’ once it is completed.
- Repeat the process on the second site server utilising the changes for the second site mentioned earlier. Once completed, you should have a functional Single Sign-On server installation shared across the two sites. At this point, we can move onto the installation of the vCenter servers.
vCenter Server Installation
This process will be repeated on each site. Once you have downloaded the vCenter Server Appliance, you should log onto a vSphere server and click ‘File’, ‘Deploy OVF Template’
- Locate the OVA file that has been downloaded and then click ‘Next’
- Confirm the details of the OVF template and then click ‘Next’ to continue
- Enter a name for the server, click ‘Next’
- Choose a resource pool and then click ‘Next’
- Choose the storage location for the appliance and make sure that you select ‘Thick Provision Eager Zeroed’ when asked.
- Select the relevant network portgroup to utilise.
- Enter the ‘Hostname’, ‘Default Gateway’, ‘DNS’, ‘Network 1 IP Address’ and ‘Network 1 Netmask’ – you should also make sure that you create a static DNS entry for the vCSA appliances. Make sure that you enter the Hostname using the FQDN for the appliance… if you do not, you will not be able to connect this to an Active Directory environment later on.
- Confirm the settings and then click ‘Finish’ to begin the installation
- After a short while the appliance will be deployed and will be powered off. Power this on and the appliance will boot
- Once the appliance has finished booting up, you will be presented with a blue vCenter appliance management screen… you should use the web page listed to access the web interface for the next stage.
- You should then log onto the appliance web page using the VMware default username and password.
- Once logged on, you will be asked to accept the license agreement, tick the box and click ‘Next’
- After a short while, you are asked about how you would like to configure the vCenter server. For our solution, initially we will be using the embedded SSO installation, which will then be connected to our external SSO environment later… I would still suggest selecting the ‘Set custom configuration’… click ‘Next’.
- Accept the ‘Embedded’ type for the database, click ‘Next’
- Accept the ‘Embedded’ type for the SSO configuration, enter a relevant password and then click ‘Next’
- You should now configure your Active Directory settings, tick ‘Active Directory Enabled’ box and then enter the domain username and password.
- Click ‘Next’ to continue
- Confirm these settings and then click ‘Start’ to apply the configuration.
- Once completed, you should be able to log onto the vCenter Web Client using the administrator@vsphere.local account and the password created in the vCSA installation process.
- Repeat this process for the second vCSA. You are now able to connect to each vCenter server individually without AD Authentication, and without them linked together.
Add AD Authentication to vCenter & Assign Administrator User
- This process should be performed on each vCSA and you should use the same account as an administrator
- Once logged onto the vCSA, click the ‘Administration’ link.
- Under the Single Sign-On option, click the ‘Configuration’ link and then the ‘Identity Sources’ tab
- Click the ‘+’ sign to add in the configuration created earlier, select the ‘Active Directory (Integrated Windows Authentication)’ option, make sure that the correct domain is listed and the ‘Use machine account’ is selected, before clicking ‘OK’
- This will now add the domain as an option for user rights.
- Return to the ‘Home’ page of the web client, click the ‘vCenter’ option and make sure that you are able to see ‘1’ vCenter Server listed. Click the ‘vCenter Server’ link to confirm that this is the server that you are expecting to see.
- Click the vCenter server name, then click ‘Manage’ and then ‘Permissions’
- Click the ‘+’ sign again, click the ‘Add’ button, select the newly added domain from the drop down list and search for the account that you wish to add as the administrator (this account should be used for both vCSAs).
- Add the account and then make sure that the user is given the ‘Administrator’ role
- Click ‘OK’ to confirm it
- The account that we add now will stay with the vCenter server, even though the SSO connection will change… this is a key point.
- Make sure that these steps are repeated on the second vCSA
Join vCSAs to Linked SSO Environment
- We move on now to join the vCSAs to the linked SSO environment, we created earlier. We return back to the vCSA configuration web interface to configure this. This process will need to be performed on each vCSA
- Once you have logged back onto the vCSA web interface, click the ‘SSO’ tab. Switch the ‘SSO deployment type’ to ‘External’. You are now asked to enter the name of an account that has the rights to register the vCenter with the SSO server. For this, you should enter the username as administrator@vsphere.local . The password will be the complex password you created when initially installing the SSO environment. The account that should be assigned as vCenter administrator, again this would be: administrator@vsphere.local
- The lookup service location, on this URL box, you can simply enter the FQDN of the SSO server for the site with the port 7444 entered (eg. servername:7444)… when you then click away from the box, it will add in all of the additional details of the URL.
- The ‘Certificate Status’ will show up as ‘Untrusted’ in red, you should tick the box to ‘Trust SHA-1 Thumbprint’ and this will then change to green.
- Click ‘Save Settings’ to apply these settings. It may take around 10 minutes to convert the vCSA to use the external SSO.
- Repeat this process for the second site.
Finalise the AD Authentication & Confirm That Both Sites Can Be Seen
So now we reach the final part of our process. At this stage we have both vCSA appliances linking to the external SSO environment created earlier but we are still unable to see both servers listed from the web client… this is because the AD Identity Source is removed from the vCSA configuration when moving to the external SSO environment. The last few steps below will add this back in again and then confirm that we can see both vCenters from the one interface.
- Log into the vCenter Web Client for the first site – log on as administrator@vsphere.local with the complex password created for the external SSO environment
- Once logged onto the vCSA, click the ‘Administration’ link.
- Under the Single Sign-On option, click the ‘Configuration’ link and then the ‘Identity Sources’ tab
- Click the ‘+’ sign to add in the configuration created earlier, select the ‘Active Directory (Integrated Windows Authentication)’ option, make sure that the correct domain is listed and the ‘Use machine account’ is selected, before clicking ‘OK’
- This will now link up the account added earlier with the domain we have just added. You should repeat this process whilst connecting to the second vCenter Web Client.
- Once these steps are completed, you should be able to log on as the account that was assigned as an administrator earlier and once logged on, you should see both vCenter servers listed. You can also assign the additional security that you wish to the environment.