VMware vSphere 7 and higher only supports vCenter Server Appliance (VCSA) based architecture where a conversion utility is provided for Windows-based vCenter server and also for external Platform Service Controllers (PSC). Starting vCenter server 7 the deployment topology is fairly simpler than in previous releases as external PSCs are no longer supported.
The services provided by PSC in prior vCenter Server versions are directly integrated into vCenter Server Appliance 7.0. vCenter Single Sign-On that is part of the vCenter server, is an authentication service that utilizes a secure token exchange mechanism rather than requiring components to authenticate users per component.
Single Sign-On domain is basically a local domain for authentication. The default name is vsphere.local but it’s not mandatory as during the deployment you can override the default and chose a different name. The SSO authentication is able to authenticate also other products such as vRealize Operations etc.
When you deploy the vCenter server appliance you must create a new SSO domain or join an existing SSO domain. You should give your domain a unique name that is not used by Microsoft AD or OpenLDAP (if used within your environment).
vCenter SSO allows vSphere components to communicate with each other through a secure token mechanism.
vCenter SSO uses:
- Security Token Service (STS)
- SSL for secure traffic
- Authentication of users through Microsoft AD or OpenLDAP
- Authentication of solution through certificates
Once the VCSA is deployed you can access the SSO config through Administration > SSO
Predefined groups – VMware has predefined groups defined. Add users to one of those groups to enable them to perform the corresponding actions. Do not delete any of the predefined groups in the vsphere.local domain. If you do, errors with authentication or certificate provisioning might result.
Once there you can join the PSC to Microsoft AD and then only to ad AD as an identity source. Using the vSphere Client, log in to a vCenter Server associated with the Platform Services Controller (PSC) as a user with administrator privileges in the local vCenter Single Sign-On domain.
For topologies with multiple vCenter Servers and the transition to embedded PSCs, VMware has developed a new UI within vCenter Server where selected vCenter Server(s) can be converged to the embedded topology.
When running this utility, your external PSC will be shut down and unregistered from the single sign-on (SSO) domain.
The embedded PSC doesn’t only simplify the vCenter architecture and patching, but you also have fewer VMs to manage and less consumption of RAM, CPU, or storage. If you have large-scale architecture with many PSCs, then the conversion can save a good amount of resources.
You also can seamlessly migrate from Windows-based vCenter server into VCSA.
During the Migration Assistant process, you can monitor the migration and manage what you want to bring over with you. The previous version of vCenter might also have had an external database. You have the possibility to migrate the data from the external DB to the embedded PostgreSQL database in vCenter Server 7. You can also migrate vCenter tasks and history. The progress of the migration is shown in the browser window.
vCenter SSO Components
STS (security token service) – This service issues security assertion markup language (SAML) tokens. Those tokens represents the identity of a user in one of the identity source types supported by vCenter SSO. The vCenter Single Sign-On service signs all tokens with a signing certificate, and stores the token signing certificate on disk. The certificate for the service itself is also stored on disk.
Administration Server – allows users with admin privileges to vCenter SSO to configure the SSO server and manage users and groups from the vSphere web client.
Do not name the domain name with your Microsoft Active Directory or OpenLDAP domain name.
VMware Directory Service (vmdir) – the VMware Directory service (vmdir) is associated with the domain you specify during installation and is included in each embedded deployment and on each Platform Services Controller. This service is a multi-tenanted, multi-mastered directory service that makes an LDAP directory available on port 389. The service still uses port 11711 for backward compatibility with vSphere 5.5 and earlier systems. It stores SSO information and also certificates information.
Identity Management Service – handles identity sources and STS authentication requests.
Find other chapters on the main page of the guide – VCP7-DCV Study Guide – VCP-DCV 2021 Certification,
Thanks for reading and stay tuned for more…
Direct VMware Download/buy links: