Problems with the vSphere 5.1 Single Sign-On feature have stymied VMware shops and frustrated IT pros who say the...
code is not ready for prime time.
VCenter Single Sign-On (SSO), a new feature in vSphere 5.1, introduces a standalone server that acts as an authentication broker between administrators and various VMware products, including vCenter Server, vCloud Director and vShield. It is required before admins can install or upgrade any other component of vSphere 5.1. IT pros who have tried to upgrade to vSphere 5.1 have reported various SSO-related failures.
"Frankly, the head of vCenter [quality assurance] should be fired over these blatant lapses in quality control," said Derek Seaman, a vExpert struggling with these problems at a major telecom company.
SSO uses Secure Socket Layer (SSL) digital certificates to encrypt network traffic between, for example, a vCenter Server and a Microsoft SQL Server database. VMware uses standard certificates by default, but users can, and often do, replace these certificates with those signed by a trusted certificate authority to comply with security policies.
"The vCenter SSO service is barely even beta quality code, and the trusted SSL situation is even worse," Seaman said. "The forums are filled with installation problems, errors and highly frustrated users."
Documentation is another problem, as vSphere customers bemoan the dearth of available troubleshooting tools, best practices and other potentially helpful information.
"This should not have been part of the [general availability release], because it is not ready," said Maish Saidel-Keesing, an infrastructure administrator and virtualization architect with a technology company in Israel.
VMware said it is aware of the vSphere 5.1 Single Sign-On and SSL problems some customers have encountered and hinted that fixes may be on the way.
"As always, customers considering software upgrades are advised to read through the release documentation in preparation for the upgrade," a company spokesperson said in an email. "As new resolutions for problem areas such as those mentioned here are delivered, customers will be notified."
There are at least two Knowledge Base articles that attempt to address SSO problems, and VMware also published a blog post with more than two dozen links to resources about the SSO process.
"I don't think there is another page dedicated to troubleshooting any other component of the 5.1 release like this one," Saidel-Keesing said.
vSphere 5.1 Single-Sign On problems slow upgrades
Customers can avoid the vSphere 5.1 Single Sign-On problems with careful planning, said Michael Webster, a VMware Certified Design Expert and director of IT Solutions 2000 Ltd., a VMware consultancy based in Auckland, New Zealand.
"I wouldn't agree that customers shouldn't upgrade to 5.1," he said. "Many upgrades have been achieved successfully and without any major issues."
Still, some VMware channel partners said they’re holding off on vSphere 5.1 upgrades in customers' production environments for now.
"I haven’t upgraded any customers to 5.1 yet personally, partially because of the [problems] when I tried to update my own environment in my home lab," said Tory Skyers, a solutions architect for a major VMware partner, who said he has struggled with Active Directory authentication since installing SSO in the lab.
Another problem with SSO in some cases is connecting it with Microsoft SQL Server databases, particularly clustered instances. Other vCenter software uses Microsoft Open Database Connectivity, but vSphere 5.1 uses Java Database Connectivity, and it’s unclear whether this new connector supports clustered instances of SQL Server.
Also, in vSphere 5.1, it appears that each service -- SSO, Inventory, vCenter, Web Client, VMware Update Manager -- requires a unique SSL certificate, which stands in contrast to previous releases, Seaman said.
VMware has published a guide to replacing SSL certificates (PDF) in vSphere 5.1, but VMware's documentation has proven to be error-filled and inadequate, he said.
In particular, the vCenter 5.1 installation guide gives no examples of enabling SQL SSL encryption for the database connection, nor does it go over the steps to create a keystore, which is required for SQL SSL certificate verification, he added.