Accepted Solutions
Sure, I'll be glad to assist you, Tony! Admittedly, I thought the vSphere 5.1 Installation and Setup Guide was a little kludgy on SSO, too.
Assuming you already have a supported MSSQL DB running and are installing SSO on another Windows VM or server (separating SSO from vCenter is a best-practice), here's what I recommend you do to turn up SSO with a remote MSSQL DB (not a local MSSQLEXPRESS).
Note:Your SSO Windows server doesn't have to belong to an AD domain at this point since you can associate SSO with AD et al. later via the vCenter Web Client, but if it is joined before running the SSO install, it will save you this step.
While there may be other supported methods to install SSO, here are the basic steps that worked for me:
- Locate the rsaIMSLiteMSSQLSetupTables.sql on the vCenter 5.1 installation ISO ([CD Drive]:\Single Sign On\DBScripts\SSOServer\schema\mssql\) and double-click on it within the server running MSSQL, which will open up in SQL Management Studio for editing.
- Edit three[C:\CHANGEME\...] paths in the SQL script with the appropriate folder paths to your DBs & Trans Logs. In my case, I put the DB and Index on D:\MSSQL\DB and the Logs on E:\MSSQL\LOGS
- Execute the script and if all is well, it will create an RSA database in MSSQL and complete successfully
- [IMPORTANT] Right-click on the top-level SQL Server icon and Select Properties, highlight Security and select the SQL Server and Windows Authentication mode (this is now a VMware requirement as indicated on page 241 of the vSphere 5.1 Installation and Setup Guide) and click OK.
- Restart MSSQL Service & Agent for this setting to take effect.
- Create a new SQL user account (i.e. sso) under MSSQL Server -> Security -> Logins in the SQL Management Studio hierarchy (ensure the account won't require you to change the password upon first login) and give it SYSADMIN Server Role and dbo to the RSA DB under User Mapping, click OK.
- Note:You can avoid running the other SQL "users" script mentioned in thevSphere 5.1 Installation and Setup Guide for SSO user creation if you do this step and let the SSO installer create the users needed instead.
- Note:You can avoid running the other SQL "users" script mentioned in thevSphere 5.1 Installation and Setup Guide for SSO user creation if you do this step and let the SSO installer create the users needed instead.
- Log into your soon to be SSO Windows server as an Administrator
- Note:Ensure your Windows server is properly Hostname'd, IP'd, with forward and reverse DNS and clocks sync'd. See documentation for other general prerequisites, if needed. You can join it to an AD domain if you wish at this time.
- Note:Ensure your Windows server is properly Hostname'd, IP'd, with forward and reverse DNS and clocks sync'd. See documentation for other general prerequisites, if needed. You can join it to an AD domain if you wish at this time.
- Launch the vCenter 5.1 SSO installer from the vCenter 5.1 ISO.
- Create a primary node for SSO (assuming this is your first one), click Next.
- Select Create the primary node for a new vCenter Single Sign On installation (so you can scale later on), click Next.
- Enter in whatever master password you wish to use for SSO, click Next.
- Select Use an existing supported database, click Next
- Note:Since SSO uses JDBC, there is no need to create a ODBC System DSN for SSO.
- Note:Since SSO uses JDBC, there is no need to create a ODBC System DSN for SSO.
- Enter, RSAin the Database Name field, enter the FQDN of your MSSQL server in the Host name or IP address field and, lastly, enter sso (from my example earlier) in the Database user name field as well as the password you established, click Next.
- Note: nothing else on this page needs to be modified
- Note: nothing else on this page needs to be modified
- Enter in to FQDN of the SSO server (not the IP!), click Next.
- Keep checkbox Use network service account, Click Next
- Note:Since I didn't really have any specific guidance about using a service account with SSO, I just went with the default for now. Perhaps in the future I'll use a service account, but given SSO is somewhat AD independent I thought I'd go with a safe choice and not use an AD service account that could be revoked if SSO was detached from that AD in the future.
- Note:Since I didn't really have any specific guidance about using a service account with SSO, I just went with the default for now. Perhaps in the future I'll use a service account, but given SSO is somewhat AD independent I thought I'd go with a safe choice and not use an AD service account that could be revoked if SSO was detached from that AD in the future.
- Select your favorite installation folder, Click Next.
- Keep default port, Click Next.
- Click Install!
SSO should install properly and create the appropriate SQL user accounts called RSA_USER & RSA_DBA.
- Disable or delete the sso SQL Admin account you created as it's no longer needed once SSO is installed.
Next, Install the vCenter Inventory Service wherever you like as well as the vCenter Server and Web Client (i.e. separate VMs)
Tip:You can no longer just log into vCenter 5.1 using a local (Windows) administrator account via the vSphere 5.1 Client. To establish vCenter Administrator rights to a Windows/AD user account (assuming SSO has been associated with AD), first log into vCenter (via vSphere 5.1 Client) using admin as the Username and the SSO master password you created during the installation of SSO. That will get you in and you can make permission adjustments as necessary. 
Before I'm totally flamed for what others might offer as a more refined way to get SSO stood up, I realize VMware offers a few different implementation approaches and perhaps new best-practices will emerge in the coming months. My intention was to share with Tony my success in getting SSO online and I hope this helps others struggling with this new vCenter service.
Please feel free to comment as to anything you feel could be improved upon with these general installation steps or let me know how this worked out for you.
-Matt
Sure, I'll be glad to assist you, Tony! Admittedly, I thought the vSphere 5.1 Installation and Setup Guide was a little kludgy on SSO, too.
Assuming you already have a supported MSSQL DB running and are installing SSO on another Windows VM or server (separating SSO from vCenter is a best-practice), here's what I recommend you do to turn up SSO with a remote MSSQL DB (not a local MSSQLEXPRESS).
Note:Your SSO Windows server doesn't have to belong to an AD domain at this point since you can associate SSO with AD et al. later via the vCenter Web Client, but if it is joined before running the SSO install, it will save you this step.
While there may be other supported methods to install SSO, here are the basic steps that worked for me:
- Locate the rsaIMSLiteMSSQLSetupTables.sql on the vCenter 5.1 installation ISO ([CD Drive]:\Single Sign On\DBScripts\SSOServer\schema\mssql\) and double-click on it within the server running MSSQL, which will open up in SQL Management Studio for editing.
- Edit three[C:\CHANGEME\...] paths in the SQL script with the appropriate folder paths to your DBs & Trans Logs. In my case, I put the DB and Index on D:\MSSQL\DB and the Logs on E:\MSSQL\LOGS
- Execute the script and if all is well, it will create an RSA database in MSSQL and complete successfully
- [IMPORTANT] Right-click on the top-level SQL Server icon and Select Properties, highlight Security and select the SQL Server and Windows Authentication mode (this is now a VMware requirement as indicated on page 241 of the vSphere 5.1 Installation and Setup Guide) and click OK.
- Restart MSSQL Service & Agent for this setting to take effect.
- Create a new SQL user account (i.e. sso) under MSSQL Server -> Security -> Logins in the SQL Management Studio hierarchy (ensure the account won't require you to change the password upon first login) and give it SYSADMIN Server Role and dbo to the RSA DB under User Mapping, click OK.
- Note:You can avoid running the other SQL "users" script mentioned in thevSphere 5.1 Installation and Setup Guide for SSO user creation if you do this step and let the SSO installer create the users needed instead.
- Note:You can avoid running the other SQL "users" script mentioned in thevSphere 5.1 Installation and Setup Guide for SSO user creation if you do this step and let the SSO installer create the users needed instead.
- Log into your soon to be SSO Windows server as an Administrator
- Note:Ensure your Windows server is properly Hostname'd, IP'd, with forward and reverse DNS and clocks sync'd. See documentation for other general prerequisites, if needed. You can join it to an AD domain if you wish at this time.
- Note:Ensure your Windows server is properly Hostname'd, IP'd, with forward and reverse DNS and clocks sync'd. See documentation for other general prerequisites, if needed. You can join it to an AD domain if you wish at this time.
- Launch the vCenter 5.1 SSO installer from the vCenter 5.1 ISO.
- Create a primary node for SSO (assuming this is your first one), click Next.
- Select Create the primary node for a new vCenter Single Sign On installation (so you can scale later on), click Next.
- Enter in whatever master password you wish to use for SSO, click Next.
- Select Use an existing supported database, click Next
- Note:Since SSO uses JDBC, there is no need to create a ODBC System DSN for SSO.
- Note:Since SSO uses JDBC, there is no need to create a ODBC System DSN for SSO.
- Enter, RSAin the Database Name field, enter the FQDN of your MSSQL server in the Host name or IP address field and, lastly, enter sso (from my example earlier) in the Database user name field as well as the password you established, click Next.
- Note: nothing else on this page needs to be modified
- Note: nothing else on this page needs to be modified
- Enter in to FQDN of the SSO server (not the IP!), click Next.
- Keep checkbox Use network service account, Click Next
- Note:Since I didn't really have any specific guidance about using a service account with SSO, I just went with the default for now. Perhaps in the future I'll use a service account, but given SSO is somewhat AD independent I thought I'd go with a safe choice and not use an AD service account that could be revoked if SSO was detached from that AD in the future.
- Note:Since I didn't really have any specific guidance about using a service account with SSO, I just went with the default for now. Perhaps in the future I'll use a service account, but given SSO is somewhat AD independent I thought I'd go with a safe choice and not use an AD service account that could be revoked if SSO was detached from that AD in the future.
- Select your favorite installation folder, Click Next.
- Keep default port, Click Next.
- Click Install!
SSO should install properly and create the appropriate SQL user accounts called RSA_USER & RSA_DBA.
- Disable or delete the sso SQL Admin account you created as it's no longer needed once SSO is installed.
Next, Install the vCenter Inventory Service wherever you like as well as the vCenter Server and Web Client (i.e. separate VMs)
Tip:You can no longer just log into vCenter 5.1 using a local (Windows) administrator account via the vSphere 5.1 Client. To establish vCenter Administrator rights to a Windows/AD user account (assuming SSO has been associated with AD), first log into vCenter (via vSphere 5.1 Client) using admin as the Username and the SSO master password you created during the installation of SSO. That will get you in and you can make permission adjustments as necessary.
Before I'm totally flamed for what others might offer as a more refined way to get SSO stood up, I realize VMware offers a few different implementation approaches and perhaps new best-practices will emerge in the coming months. My intention was to share with Tony my success in getting SSO online and I hope this helps others struggling with this new vCenter service.
Please feel free to comment as to anything you feel could be improved upon with these general installation steps or let me know how this worked out for you.
-Matt
Hi TonyNguyen ,
Welcome to the communities .
I dont think anything more have to comment after reading MATTBR comment. Its excellent .
TOO LONG DIDN'T READ
..
Just kidding. 
Matt. Looks very comprehensive, thank you for the detailed reply. I will try this out right away and let you know what happens. Your 6 posts doesn't represent the knowledge dimes you are dropping!
Hi TonyNguyen.
I got the same error when I followed these steps. The problem for me was when I made the user "sso" I had him checked to enter a new password on first login. Try making a connection to your DB with the user "sso" and see if he needs to change his password.
After I changed the password of "sso" my install went fine.
Hope this helps you
Guess I made the assumption that folks would uncheck that SQL login option when creating a new admin account. I've updated the tasks...thanks for pointing it out.
Hi Matt,
No problem. The exercise has encouraged me to be better at SQL troubleshooting.I resolved the issues but unfortunately I can't say for sure that the checkbox is the problem because bad me made 10 changes at the same time.
The summary key points for me was:
1.) Create the service account first. Give it local admin to the SSO box, and sysadmin privileges in SQL.
2.) Create the database with the included script. This makes a database named 'RSA'
3.) Log into the SSO server as the account created in key point 1.
4.) Load the SSO installer and configure with the following settings:
Database Type: MSSQL
Database Name: RSA (if you went with the default created by the sql script)
Host Name or IP: The FQDN of the SQL server. For example, SQL01.CONTOSO.COM
Port: 1443
Use Windows Authentication checked
And like Hugo mentioned, firewalls between the SSO/VMWare Innventory/vCenter/SQL should be verified for troubleshooting.
Thanks everyone for the help.
I'm writing up a series of vCenter 5.1 installation blogs, walking through the entire process and configuring trusted SSL certificates. I ran into a number of issues, so the instructions work around the hicups I found in my environment.
http://derek858.blogspot.com/2012/09/vmware-vcenter-51-installation-part-1.html
Still several posts left, but I'm working through them as fast as I can in my spare time.