vSphere 5.1 Single Sign-On problems dog VMware shops

VMware customers have encountered numerous problems with vSphere 5.1's Single Sign-On feature, and that's holding some shops back from upgrading.

Problems with the vSphere 5.1 Single Sign-On feature have stymied VMware shops and frustrated IT pros who say the...

code is not ready for prime time.

VCenter Single Sign-On (SSO), a new feature in vSphere 5.1, introduces a standalone server that acts as an authentication broker between administrators and various VMware products, including vCenter Server, vCloud Director and vShield. It is required before admins can install or upgrade any other component of vSphere 5.1. IT pros who have tried to upgrade to vSphere 5.1 have reported various SSO-related failures.

"Frankly, the head of vCenter [quality assurance] should be fired over these blatant lapses in quality control," said Derek Seaman, a vExpert struggling with these problems at a major telecom company.

SSO uses Secure Socket Layer (SSL) digital certificates to encrypt network traffic between, for example, a vCenter Server and a Microsoft SQL Server database. VMware uses standard certificates by default, but users can, and often do, replace these certificates with those signed by a trusted certificate authority to comply with security policies.

"The vCenter SSO service is barely even beta quality code, and the trusted SSL situation is even worse," Seaman said. "The forums are filled with installation problems, errors and highly frustrated users."

Documentation is another problem, as vSphere customers bemoan the dearth of available troubleshooting tools, best practices and other potentially helpful information.

"This should not have been part of the [general availability release], because it is not ready," said Maish Saidel-Keesing, an infrastructure administrator and virtualization architect with a technology company in Israel.

VMware's response

VMware said it is aware of the vSphere 5.1 Single Sign-On and SSL problems some customers have encountered and hinted that fixes may be on the way.

"As always, customers considering software upgrades are advised to read through the release documentation in preparation for the upgrade," a company spokesperson said in an email. "As new resolutions for problem areas such as those mentioned here are delivered, customers will be notified."

There are at least two Knowledge Base articles that attempt to address SSO problems, and VMware also published a blog post with more than two dozen links to resources about the SSO process.

"I don't think there is another page dedicated to troubleshooting any other component of the 5.1 release like this one," Saidel-Keesing said.

vSphere 5.1 Single-Sign On problems slow upgrades

Customers can avoid the vSphere 5.1 Single Sign-On problems with careful planning, said Michael Webster, a VMware Certified Design Expert and director of IT Solutions 2000 Ltd., a VMware consultancy based in Auckland, New Zealand.

"I wouldn't agree that customers shouldn't upgrade to 5.1," he said. "Many upgrades have been achieved successfully and without any major issues."

Still, some VMware channel partners said they’re holding off on vSphere 5.1 upgrades in customers' production environments for now.

"I haven’t upgraded any customers to 5.1 yet personally, partially because of the [problems] when I tried to update my own environment in my home lab," said Tory Skyers, a solutions architect for a major VMware partner, who said he has struggled with Active Directory authentication since installing SSO in the lab.

Another problem with SSO in some cases is connecting it with Microsoft SQL Server databases, particularly clustered instances. Other vCenter software uses Microsoft Open Database Connectivity, but vSphere 5.1 uses Java Database Connectivity, and it’s unclear whether this new connector supports clustered instances of SQL Server.

Also, in vSphere 5.1, it appears that each service -- SSO, Inventory, vCenter, Web Client, VMware Update Manager -- requires a unique SSL certificate, which stands in contrast to previous releases, Seaman said.

VMware has published a guide to replacing SSL certificates (PDF) in vSphere 5.1, but VMware's documentation has proven to be error-filled and inadequate, he said.

In particular, the vCenter 5.1 installation guide gives no examples of enabling SQL SSL encryption for the database connection, nor does it go over the steps to create a keystore, which is required for SQL SSL certificate verification, he added.

Beth Pariseau is a senior news writer for SearchCloudComputing.com and SearchServerVirtualization.com. Write to her at bpariseau@techtarget.com or follow @PariseauTT on Twitter.

Dig Deeper on VMware virtualization

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

49 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Have vSphere 5.1 Single Sign-On problems kept you from upgrading?
Cancel
I did have a problem, with one of the sites, installing it on the vcenter. But I created a separate vm and installed it there successfully.
Cancel
Never ever had issues upgrading VMWare…until now…
Cancel
I will wait a while longer now before starting the upgrade.
Cancel
Yeah, I’ll wait until things are ironed out. Feels like a beta if there ever was one!
Cancel
Even with a basic fresh install on a new W2K8R2 server (using the bundled Express database) I am having the following errors.
Error: 29103 Cannot read file/directory
Error:20020 Failed to update values in server.xml file
Holding off upgrade to 5.1 until a stable release is out.
Cancel
Lack of documentation and inadequate overview of these new pieces in VSphere 5.1 is not so clear to proceed with the Prod Vcenter upgrade.
Cancel
I upgraded a test bed ESXi server to 5.1 - haven't had any issues. My production server is still on 5.
Cancel
This was poorly thought through. Upgrade process from the previous version to 5.1 was a sham. Installation of a clean 5.1 environment has to be careful everything from UPPERCASE domain names in AD to reading the first page of the application bootup (after accepting license). Modifications to how DNS retrieves names is also required in some scenarios. The installer should be bullet proof and there should have been some better documentation. Half of the problems I figured out based on other Appliances VMware has and exhibited similar issues. In the end it works, with a lot of caveats to the term 'works'. They have such a great history with installs, but this screw up is blight on their record. Issues with installs are part of the testing process, but the amount of work to get my test environment working was brutal, then replicating it in production felt like retracing steps through a mine field. The Vsphere appliance is supposed to save time and money not burn through it. They did not test this product enough, if they did it was in sterile room with the programmer doing the install with a caveat list in a perfect scenario. Poor job.
Cancel
No issues. Need to understand it better to avoid any issues
Cancel
Since it has no use to my environment i can not think why should not upgrade to 5.1
Cancel
worst release ever
Cancel
The install is "mostly" simple. However a lot of thinking needs to go into the install. Especially if operating in a large enviroment...

I also have to add to the list of touble by sayin that the ORACLE part of the installer is FU'ed. After spending 4h on the problem and then having a bit of play. I have to say that the concept of SSO is solid and will improve (once its not 1.0 anymore) the vStack.

Another problem that really got to me is the missing doco about DB requiremnts for 5.1.
Cancel
Fix it!
Cancel
Will wait for the dust to settle and be swept up before upgrading.
Cancel
Force any feature adoption is never a good idea, but one as critical as SSO is blocker for many.
Cancel
Awaiting for patches to come
Cancel
Spent 3 hours going in circles in my home lab. Very frustrating.
Cancel
Opened a support call with VMware two days ago, no response from them yet.
Cancel
known problem with nfs datastores on synology nas
Cancel
Ever since 5.x releases certificates have been the bane on their products. Hope vCert Mgr comees very soon.
Cancel
Upgraded successfully to 5.1. Before proceed with SSO installation, need to create SSO RSA database manually by executing DBScripts.

Hitender Singh kanwar
Cancel
Not even beta status
Cancel
NBD, right! Stop the vCenter service and see what happens. No login to vCenter without SSO. Things keep running but no login until you fix SSO. So for SMB I need two SSO in HA config with a load balancer to protect my environment. CRAZY
Cancel
i feel ms nipping at vmwares heal
Cancel
Cautiously paused, eagerly waiting relevant and specific repairs.
Cancel
I am hoping for a patch or update1 on this fairly quickly...
Cancel
I want to make it clear so everyone understands. Clustered database configurations are not supported with SSO. There are other components that also do not support clustered database configurations. I will be publishing my normal high quality processes for changing out SSL certs once we've worked through some of the challenges around it.
Cancel
Had to create 3 test environments, before I finally managed to create a setup that worked.
Cancel
VMware has a long history of locking customers into its product range rather than letting companies choose what technologies they want in their clouds. An example of this is VMware’s recent release of its vSphere V5.1 where the pricing model has changed yet again. The fact that they change the pricing model regularly is all part of the vendor lock-in approach. What you are doing today might appear to be cheaper but VMware wants to make you pay in the long term. When you pay for a VMware license you pay for lots of features that you may not even use. We've spoken to customers who were having to pay for the enterprise licensing because they can’t live without one feature but the price difference between a standard and enterprise license is almost 300% - and they’re having to pay that just for one feature they need. Cloud services companies would be better served evaluating solutions that take advantage of the technology they already have and which avoid vendor lock-in. There are cloud management platforms available now that are safe, secure, and interoperable with multiple hypervisors and heterogeneous infrastructure.
Jim Darragh, CEO, Abiquo
Cancel
I'll wait until the installation process is more automated. Meanwhile I'll stay with 4.1.
Cancel
Issues with SSO caused the upgrade fail
Cancel
I will appreciate if VMware provides more information / patch or update on this matter.
Cancel
Clustered database environments are fine as long as DBAs understand how to set a static port for the named instance.
Cancel
Total crap of product
Cancel
I have not upgraded because Active Directory integration works just fine.
Cancel
horrible problems with multisites vcenters/ SSO and Web Client since 5.1. we have to unlink all our vcenters
Cancel
It has not been easy to work with this new process. Even trying to create it from scratch has been problematic.
Cancel
SSO behind F5 load balancer... No real documentation for this setup (only for apache). Bad experience overall
Cancel
Not Ready For Prime Time
Cancel
Things are going smooth and we simply don't want to risk it right now.

We hope they fix this soon because we're missing out on some very nice enhancements.
Cancel
VMware really missed on this one. The fact that VMware boasts about all the support and KB pages available for this product tells you how poorly thought out it was.
Cancel
Due to clustered SQL named instance used in existing vcenter 5.0 unable to upgrade successfully as single sign on installation is not going through.
Cancel
Now its much matured product ...Everybody can go ahead and use SSO....

SSO is going to be very helpful component
Cancel
I need a clarification on the ESx firmware upgrade 4.1 to 5.1
Cancel
I am still not sure if vCenter Server 5.1 Update 1b fixes all the issues.
Cancel
I have upgraded, but am still having problems registering vcenter with the web client, beit via the admin-app or via the scripts.
Cancel
Running on Win Svr 2008 and constant rollbacks no matter what I try. Awful...
Cancel
We could upgrade without any issues.
Cancel

-ADS BY GOOGLE

SearchVMware

SearchWindowsServer

SearchCloudComputing

SearchVirtualDesktop

SearchDataCenter

Close