VMware Cloud Community
lvaibhavt
Hot Shot
Hot Shot
‎08-01-2013 08:44 AM

SSO in HA mode with LB

Hi All,

I read about SSO in HA mode and realized that we need to have load balancer in place. This is needed when SSO A goes down then it can switch over the requests to SSO B.

For this to happen we need to point the SSO components like Admin server - STS and others to this Load balancer -- the Virtual IP.

What if -- if the Load Balancer goes down then will someone be able to login to the Virtual Infra.

Please correct if I am wrong

Thanks

0 Kudos
6 Replies
JagadeeshDev
Hot Shot
Hot Shot
‎08-01-2013 12:27 PM

If the load balancer goes down then you will not be able to reach the SSO server. SSO requires for the authentication verification of new users session. You would need to place a redundant load balancer to get rid of this

http://www.myitblog.in/
0 Kudos
depping
Leadership
Leadership
‎08-01-2013 10:03 PM

lvaibhavt wrote:

Hi All,

I read about SSO in HA mode and realized that we need to have load balancer in place. This is needed when SSO A goes down then it can switch over the requests to SSO B.

For this to happen we need to point the SSO components like Admin server - STS and others to this Load balancer -- the Virtual IP.

What if -- if the Load Balancer goes down then will someone be able to login to the Virtual Infra.

Please correct if I am wrong

Thanks

I see no real value in SSO in HA mode to be honest, it is too complex to setup and it just moves the SPOF to a different layer.

0 Kudos
logiboy123
Expert
Expert
‎08-01-2013 10:27 PM

I was using SSO in a HA configuration on my current project. I found it was extremely complex to setup and administer.

Further we had failures in the environment where we were locked out because of the implementation. We switched to a multi-site configuration without HA. So each vCenter server had it's own SSO server, which had it's own SQL database. This worked much better then the previous configuration.

Generically speaking I don't think VMware PSO recommends implementing SSO HA, even though the feature is available.

Cheers,

Paul

0 Kudos
JimKnopf99
Commander
Commander
‎08-02-2013 01:20 AM

Hi,

i agree with the others. If you need a high availability SSO Server, i would recommend to use vmware heartbeat.

I know it cost extra, but it works and it is not that complicated.

Frank

If you find this information useful, please award points for "correct" or "helpful".
0 Kudos
lvaibhavt
Hot Shot
Hot Shot
‎08-02-2013 02:29 AM

Hi All,

Thank you for the suggestions.

If the SSO Server goes down then please let me know if below options are fine to recover it. Considering SSO DB is not on the same server.

First >> Restore the backup of the SSO configuration to a new server

Second >> Take a clone of the SSO Server

Third >> Restore the SSO machine from backup applications like vRanger/Veeam.

Thanks

0 Kudos
lvaibhavt
Hot Shot
Hot Shot
‎08-04-2013 04:47 AM

Hi All,

For a standalone SSO Server -- below things I tested

If we take a clone of the SSO server. Bring the original one down. Power on the Clone Machine. Authentication happens.
  I tried logging to the admin@system-domain via web client and normally from Vi client it was working fine.
 
  I then powered off the cloned SSO server and powered on the original one. It was working well.
  I then again powered off original SSO Server and power on Clone. It was working fine.
 
  I took backup of the SSO Server from Veeam and then restore it. Powered it on and the authentication was going fine.
 
  I took snapshot of the SSO server and deleted the registry -- restored the snapshot. It was working fine
 
  I have also earlier taken backup of the SSO configuration files and then restored on the new machine and then authentication was going fine.
 
  If none of the above work then we can create a new SSO server and point VC and Inventory Service to this new Server. Article # 2033620
 


Hope it helps



Thanks

Vaibhav

0 Kudos