VMware vCenter Single Sign-On problems strike vSphere 5.5 upgraders

Another round of vSphere upgrades has uncovered more problems with vCenter Single Sign-On. Some users can't upgrade, and others can't authenticate.

More than a year after its release, vCenter Single Sign-On is still causing headaches.

Some users have not been able to upgrade from VMware Inc.'s vSphere 5.1 to vSphere 5.5, and others have not been able to authenticate once upgrading. The problems are widespread enough that the VMware Knowledge Base published workarounds this week, as well as a patch for the authentication issue.

Users also encountered Single Sign-On (SSO) installation and authentication errors when upgrading to vSphere 5.1 last year.

"For my use cases, I don't see much benefit of SSO -- especially when it causes these kinds of troubles," said Sean Duffy, an independent virtualization blogger in the United Kingdom.

Inside the latest vCenter Single Sign-On mess

The SSO feature in vCenter Server, introduced in version 5.1, replaced the standard Active Directory (AD) authentication measures that were in place in previous versions. It is designed to be an authentication broker between AD, other identity sources and various VMware products, such as vSphere and vCloud Director.

I didn't expect it to be this bad.

Sean Duffy, blogger

Users that try to upgrade from vSphere 5.1 to vSphere 5.5 may not be able to if vCenter SSO uses the default security certificates. Custom certificate users, those upgrading from earlier versions and new installations are not affected. VMware lists specific registry key changes that must be made, either before an attempted upgrade or after a failed upgrade, to avoid this problem.

The authentication problem, which Duffy encountered, occurs when vCenter SSO 5.5 runs on Windows Server 2012 and is part of an AD domain whose controller also runs on Windows Server 2012. It took Duffy about half a day to realize the problem was on VMware's end, not his, and it wasn't until the next day that he found a resolution, which he posted on his blog.

"I wasn't expecting it to work straight way, but I didn't expect it to be this bad," he said.

A faulty registry file is to blame, according to VMware. The company has released a new registry file and published installation instructions to fix the issue.

More on vSphere 5.5

VMware vSphere 5.5 takes aim at mission-critical workloads

VMware strengthens cloud, software-defined data center portfolio

There is also an issue where administrators can't install vCenter SSO 5.5 if their passwords contain certain characters, such as ampersands or quotation marks.

"To date, a limited number of customers have reported issues with upgrades to vCenter Single Sign-On 5.5," a VMware spokesperson said in an email statement.* "VMware Global Support Services is responding rapidly to address any related issues and is actively working with customers to help provide the smoothest upgrade experience possible."

The problems with vCenter SSO 5.5 aren't as significant as those that plagued users in version 5.1, and VMware's quick responses this week are promising signs, said Derek Seaman, a virtualization blogger.

"They were listening with all the unhappy customers last year," he said.

Effects on vSphere 5.5 upgrades

VMware rebuilt much of the vCenter Single Sign-On code after last year's debacle, so in many ways it's another brand new feature. That should give users pause before upgrading their production environments, Seaman said.

"I don't think anybody in their right mind would rush out and install it and use it," he said.

Users who automate vCenter authentication with scripts should also pay close attention before upgrading to vSphere 5.5, said Tim Antonowicz, senior solutions architect at Mosaic Technology, a VMware partner in Salem, N.H.

"If the authentication credentials need to be in a new format, there is a good deal of scripting out there that needs to be fixed," he said in an email. "This could be a challenge to get new installs of vSphere 5.5 to work with existing scripts."

Despite its early struggles, vCenter SSO will become a valuable feature when it extends to more VMware products, Seaman said.

"It's obviously here to stay," he said.

*Statement added after initial publication.

Dig Deeper on VMware management tools

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

36 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How do you feel about vCenter Single Sign-On?
Cancel
They should have at least provided a workaround or not make it mandatory
Cancel
forcing use of a web-based management utility (phasing out vsphere client) and replacing it with a lackluster product not fully capable of being a full-blown replacement regardless.
Cancel
cs512tr, is SSO still causing problems for you?
Cancel
AD was just fine, having to mess with SSO on big companies is just a completely headache.. and time consuming...
Cancel
Our AD Integration is broken since Update to 5.5 because our user accounts have their e-mail address as a name alias. Our AD users are in the subdomain sub.company.com but their e-mail address is: user@company.com. In the VMware logs we can see that SSO uses the domain suffix from the e-mail address instead of the provided credentials. The login name SUBDOMAIN\user is transferred into user@company.com. No fixes available so far!
Cancel
VMware has not released any documentation on scripting SSO. That is causing me more headaches than anything. The .exe for installing SSO is missing in the RTM and I finally figured out that I had to install each and every one of the items in the Prerequisites folder prior to installing SSO with the .msi. I am still trying to figure out how to setup identity sources via script. I would hate to think I will have to reverse engineer their JAVA code to figure it out.
Cancel
Nice improvement in 5.5
Cancel
it's an improvement.
Cancel
Major improvement over 5.1
Cancel
It's much better than in 5.1.
Cancel
It is much simpler and more efficient.
Cancel
visible improvements from 5.1
Cancel
Although a small issue, which I can understand the promptness with which the issues was documented and fixed seems a major plus. I'm using 5.5 without any issues with my upgrade. There is so much more to like in 5.5
Cancel
Better now
Cancel
It is not bad at all, I like it.
Cancel
from what I hear this has only affected a small amount of users and they have been left operational when rolled back unlike with 5.1 where you were hosed completely.
Cancel
this was released last Sunday (5 days ago) and VMware has been very reactive to those that have experienced issues. A vast improvement
Cancel
like!
Cancel
it needs to be taken out
Cancel
I like it
Cancel
This is going to be here for sure. SSO is very valuable asset for enterprises going forward.
Cancel
The reason the KB was published so soon after the product shipped is that VMware is responsive to customers' reports regardless how few such reports were.
Cancel
SSO is bad Thing Software.
Cancel
I didn't like it to start but as it is here to stay I did a couple of labs and I like it now!!
Cancel
It's Ok.
Cancel
Call it vCUF

C omplete U seless F eature
Cancel
I guess, that with following the best practices and the instructions of vmware the SSO problems will be solved. Personnaly i have performed an in place upgrade frome vsphere 4.1U1 to vSphere 5.1U1 then from 5.1U1 to 5.5 and I have not had problems, the most problems that i encountered were on the first upgrade (from 4.1U1 to 5.1U1).
Cancel
hey - at leasy it aint M$
Cancel
SSO Installation is much better that 5.1
Cancel
work really bad if you have trusted ad and groups with mixed peoples from diff ad.s
Cancel
I have yet to be able to upgrade in a lab env, dread having to do it at a customer site -VMware should have tested this more thoroughly.
Cancel
I wish VMware would leave AD authentication alone. What exactly is the driving force behind pushing SSO?
Cancel
5.1 was a pain to get running. Now I see 5.5 is giving me grief also.
Cancel
It's pretty bad. I don't see the value in an enterprise, may for a service provider.
Cancel
Fortunately, I am experienced enough with Microsoft Enterprise CA, a lot of folks are not. I thought SSO for 5.1 was easy compared to SSO for 5.5. Took me 3 full days of reading multiple articles before I got it working in a test environment. Nothing should be that loosely documented, you have to read several dozen articles to get the big picture. My trimmed down steps only take a page, along with some custom scripts.
Cancel

-ADS BY GOOGLE

SearchVMware

SearchWindowsServer

SearchCloudComputing

SearchVirtualDesktop

SearchDataCenter

Close