Upgrading to ESXi 5.1: Single Sign On and Configuration

onscreen119506075In addition to hardware and performance considerations, there are other significant changes that will affect your upgrade and your use of vSphere 5.1, especially if you have more than one vCenter. There is a new Single Sign On service that increases security and control by allowing the software components to communicate with each other through a secure token mechanism. Depending on the size and complexity of your installation, there may also be a changed setting for the vCenter Server Administrator(s) of your organization.

Single Sign On

When you upgrade to vCenter Server 5.1, the upgrade process will install vCenter Single Sign On first and then upgrade vCenter Server. You cannot assume that the local user accounts and Active Directory (AD) accounts that were pre-populated by the earlier version of vCenter will continue to work. If your vCenter is joined to an AD domain at the time that the Single Sign On software is installed, then that AD domain should be discovered and its identity added. If this does not occur, then you will need to logon to the vCenter Server through the vSphere Web Client and add the AD domain to Single Sign On. Also, before you begin the upgrade process, you should make sure that all of your vCenters and hosts have their clocks synchronized to a reliable NTP server. This will avoid certificate and AD errors caused by a lack of time synchronization. For more information about these tasks, you should search for pubs.vmware.com and then for vSphere 5.1 Security.

Configuring a vCenter Administrator

It may seem unusual to be required to configure a vCenter Administrator as part of an upgrade but, because of the function of the Single Sign On authentication system, you should be ready for this issue. In vSphere versions prior to vSphere 5.1, vCenter Administrators are by default the users who belong to the local OS’s administrators group. In contrast, when you install vCenter Server in vSphere 5.1, you must provide the default (initial) vCenter administrator user or group. In this way, you have greater control and do not inadvertently give administrative control of your vCenter machine to Domain Admins who have no VMware experience.

In a small installation with one vCenter server and Single Sign On within the same box, the default setting is to designate the group Administrators as the vCenter Server administrative user. The assumption is that it’s the same person or group. For larger installations, where vCenter Single Sign On and vCenter Server are deployed on different hosts, you cannot preserve the same behavior as in vCenter 5.0. Instead you will need to assign the vCenter Server administrator role to a user or group from a registered identity source. This source could be a vCenter Single Sign On server, AD domain controller, or other OpenLDAP server. You can add multiple AD, or OpenLDAP domains to a single vCenter Server 5.1. For more information about these new features read the pdf on vSphere 5.1 Security by searching for pubs.vmware.com and then for vSphere 5.1 Security.

Reproduced from Global Knowledge: Upgrading to ESXi 5.1 – Best Practices

Related Courses
VMware vSphere: Install, Configure, Manage [V5.1]
VMware vSphere: Optimize and Scale [V5.1]

In this article

Join the Conversation