More than a year after its release, vCenter Single Sign-On is still causing headaches.
Some users have not been able to upgrade from VMware Inc.'s vSphere 5.1 to vSphere 5.5, and others have not been able to authenticate once upgrading. The problems are widespread enough that the VMware Knowledge Base published workarounds this week, as well as a patch for the authentication issue.
Users also encountered Single Sign-On (SSO) installation and authentication errors when upgrading to vSphere 5.1 last year.
"For my use cases, I don't see much benefit of SSO -- especially when it causes these kinds of troubles," said Sean Duffy, an independent virtualization blogger in the United Kingdom.
Inside the latest vCenter Single Sign-On mess
The SSO feature in vCenter Server, introduced in version 5.1, replaced the standard Active Directory (AD) authentication measures that were in place in previous versions. It is designed to be an authentication broker between AD, other identity sources and various VMware products, such as vSphere and vCloud Director.
I didn't expect it to be this bad.
Sean Duffy, blogger
Users that try to upgrade from vSphere 5.1 to vSphere 5.5 may not be able to if vCenter SSO uses the default security certificates. Custom certificate users, those upgrading from earlier versions and new installations are not affected. VMware lists specific registry key changes that must be made, either before an attempted upgrade or after a failed upgrade, to avoid this problem.
The authentication problem, which Duffy encountered, occurs when vCenter SSO 5.5 runs on Windows Server 2012 and is part of an AD domain whose controller also runs on Windows Server 2012. It took Duffy about half a day to realize the problem was on VMware's end, not his, and it wasn't until the next day that he found a resolution, which he posted on his blog.
"I wasn't expecting it to work straight way, but I didn't expect it to be this bad," he said.
A faulty registry file is to blame, according to VMware. The company has released a new registry file and published installation instructions to fix the issue.
More on vSphere 5.5
VMware vSphere 5.5 takes aim at mission-critical workloads
VMware strengthens cloud, software-defined data center portfolio
There is also an issue where administrators can't install vCenter SSO 5.5 if their passwords contain certain characters, such as ampersands or quotation marks.
"To date, a limited number of customers have reported issues with upgrades to vCenter Single Sign-On 5.5," a VMware spokesperson said in an email statement.* "VMware Global Support Services is responding rapidly to address any related issues and is actively working with customers to help provide the smoothest upgrade experience possible."
The problems with vCenter SSO 5.5 aren't as significant as those that plagued users in version 5.1, and VMware's quick responses this week are promising signs, said Derek Seaman, a virtualization blogger.
"They were listening with all the unhappy customers last year," he said.
Effects on vSphere 5.5 upgrades
VMware rebuilt much of the vCenter Single Sign-On code after last year's debacle, so in many ways it's another brand new feature. That should give users pause before upgrading their production environments, Seaman said.
"I don't think anybody in their right mind would rush out and install it and use it," he said.
Users who automate vCenter authentication with scripts should also pay close attention before upgrading to vSphere 5.5, said Tim Antonowicz, senior solutions architect at Mosaic Technology, a VMware partner in Salem, N.H.
"If the authentication credentials need to be in a new format, there is a good deal of scripting out there that needs to be fixed," he said in an email. "This could be a challenge to get new installs of vSphere 5.5 to work with existing scripts."
Despite its early struggles, vCenter SSO will become a valuable feature when it extends to more VMware products, Seaman said.
"It's obviously here to stay," he said.
*Statement added after initial publication.
Dig Deeper on VMware management tools
Colin Steele asks:
How do you feel about vCenter Single Sign-On?
5 ResponsesJoin the Discussion