VMware Cloud Community
henry857
Contributor
Contributor

Can I change the default vsphere.local domain for SSO post-installation?

I made an ooopsy in my lab. My windows domain is also vsphere.local. I think this is why I can't add my AD as an identity source. :smileyplain:

What is the quickest way to clean this up?

Reply
0 Kudos
11 Replies
abhilashhb
VMware Employee
VMware Employee

What error does it throw when you try adding AD authentication. You cannot change the SSO domain. It will always be vsphere.local.

Abhilash B
LinkedIn : https://www.linkedin.com/in/abhilashhb/

Reply
0 Kudos
henry857
Contributor
Contributor

I go to administration --> Configuration --> Identity Sources --> +

I then select the AD integrated windows authenticated radio button, put in vsphere.local as my windows domain :smileyplain: then keep 'use machine account' radio selected. I receive the message that is attached below.

10-27-2013 1-54-43 AM.jpg

Reply
0 Kudos
abhilashhb
VMware Employee
VMware Employee

I think you have to change the domain name(rebuild/change AD domain name) if you want to add AD authentication. AFAIK you cannot change the SSO domain i.e vsphere.local.

Abhilash B
LinkedIn : https://www.linkedin.com/in/abhilashhb/

Reply
0 Kudos
schepp
Leadership
Leadership

Hi,

as Abhilash said, you can't change the default SSO domain. You will have to change your Windows domain name.

There are some articles in the MS Technet on how to do it. For example this: http://technet.microsoft.com/en-us/library/cc738208(v=ws.10).aspx

Regards

Reply
0 Kudos
Zulu_Zeffir
Contributor
Contributor

I know this post is dated but this is not your problem from my understanding.  Take a look at the link below and it states clearly the vsphere.local domain is used internally only by the SSO server. 

https://communities.vmware.com/message/2290905

Reply
0 Kudos
henry857
Contributor
Contributor

Zulu,

You're correct. vsphere.local is only used by SSO internally, meaning vsphere.local should not conflict with anything external to itself. But in my situation, the conflict is happening internally within SSO. It seems to me that SSO treats all domains equal, hence why I cannot add a vsphere.local windows domain. This was not my first 5.5 build and I never ran across this error - I may troubleshoot further to confirm/correct this but it's not on my radar.

Reply
0 Kudos
Zulu_Zeffir
Contributor
Contributor

I understand now, I suppose depending on how many windows machines you have it would probably be much simpler to migrate to a different AD domain than try to understand the inner workings of the SSO server. 

Reply
0 Kudos
ian_fletcher
Contributor
Contributor

Hi Henry857,

I stumbled on this post while looking at the impact of the new vSphere 6 option that allows you to change the built in SSO Domain of vsphere.local and noticed that your post hadn't been flagged as answered.

I think the issue (as you probably worked out a long time ago) is that while the SSO vsphere.local doesn't have any AD dependences. However it makes sense you can't add another domain to SSO in order to authenticate users when SSO already has a domain of the same name. This would be the case with two different Windows domains that happened to have the same name.

It's a case of which AD would SSO pass the username / password to in order to authenticate. So in your case if SSO had allowed you to add an Windows domain of vsphere.local when you enter administrator@vsphere.local which domain should SSO authenticate the credentials against?

Hope that makes sense.

Reply
0 Kudos
sarikrizvi
Enthusiast
Enthusiast

vSphere Domains Name

1. Each Platform Services Controller is associated with a vCenter Single Sign-On domain

2. The domain name is used by the VMware Directory Service (vmdir) for all Lightweight Directory Access Protocol (LDAP) internal structuring

2. Default domain name - vsphere.local for all vSphere versions

    Condition I -

               a. Your vSphere domain name is (vsphere.local) till vSphere 5.5 and you don't have option to change it.
               b. If you are upgrading from vSphere 5.5 to 6.x then your vSphere domain name would remains same (vsphere.local) and you don't have option to change it.

    Condition II -
               a. When you install a Platform Services Controller, you are prompted to create a vCenter Single Sign-On domain or join an existing domain

               b. With vSphere 6.0 and later, you can give your vSphere domain a unique name ( you can change domain name now in fresh/new installation)
                    197048_197048.png6-vCSA-Install-Set-SSO-information.png

              Note :- To prevent authentication conflicts, use a name that is not used by OpenLDAP, Microsoft Active Directory, and other directory services.

                           You cannot change the vSphere domain to which a Platform Services Controller or vCenter Server instance already belong
 

SSO Sites

1. You can organize SSO domains into logical sites.
2. A site in the VMware Directory Service is a logical container for grouping PSC instances within a vCenter Single Sign-On domain.

3. it’s time to name the site where this SSO server is going to live. This is Site A or you could give name of the city/environment where the server lives ( vSphere 5.5, 6.x)

                      197049_197049.jpgsitea-sso-site.jpg

CMDs to get info...

To find your SSO Domain Name:

/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost

To find your SSO Site Name:

/usr/lib/vmware-vmafd/bin/vmafd-cli get-site-name --server-name localhost

To find you which PSC your vCSA is pointing to:

/usr/lib/vmware-vmafd/bin/vmafd-cli get-ls-location --server-name localhost

/usr/lib/vmware-vmdir/bin/vdcrepadmin -f showservers -h localhost -u administrator

Regards,
SARIK (Infrastructure Architect)
vExpert 2018-2020 | vExpert - Pro | NSX | Security
vCAP-DCD 6.5 | vCP-DCV 5.0 | 5.5 | 6.0 | vCA-DCV 5 | vCA-Cloud 5 | RHCSA & RHCE 6 | A+ (HW & NW)
__________________
Please Mark "Helpful" or "Correct" if It'll help you
_____________________________________
@Follow:
Blog# https://vmwarevtech.com
vExpert# https://vexpert.vmware.com/directory/1997
Badge# https://www.youracclaim.com/users/sarik
Reply
0 Kudos
derrellb
Contributor
Contributor

You can always deploy an external PSC and repoint your VCSA to that External PSC.  You will have to create a new name for the domain though.  So your VM environment will be "New-Name.local", and the Windows domain can remain the same.

Reply
0 Kudos
bdubisz
VMware Employee
VMware Employee

derrellb Actually, in vSphere 6.0 and 6.5 you can't repoint vCenter Server to PSC that has been deployed in different SSO domain.

Cross SSO domain repointing is only supported with Platform Services Controller 6.7 and vCenter Server 6.7 (and in 5.5 as well Smiley Wink).

Repoint vCenter Server to External Platform Services Controller in a Different Domain

Reply
0 Kudos