I've just installed vCenter 5.1 Update1a into my test environment and have also installed the vSphere Web Client. Part of the vSphere Web Client installation requires you to enter the admin@system-domain password so that it can authenticate with SSO.
My concern is that in my production environment we have several teams who are responsible for their own VMs with restricted access to just to be able to power down, power off, reset the machine. I'm assuming that I will need to provide them with the vSphere Web Client however does this mean that I then need to divulge the admin@system-domain password??
You do not have to give them the password for this account as this is only used for configuring the SSO instance itself.
If you have a domain then add this as an Identity Source and then add users in vCenter as usual. In the Web Client login as your admin@System-Domain and click Administration - Sign-On and Discovery - Configuration - Identity Sources. From here click on the + button to "Add Identity Source" and add your AD details. If you needyour domain to be implicit when logging on (i.e. you dont want to type DOMAIN\username) then just add the Identity Source to the Default Domains and click on the save button.
If you have local accounts on the vCenter box then you can just add these users through vCenter too.
Two essential things to note with SSO though, don't lose your admin@System-Domain password and make sure you backup SSO. Losing SSO (or access to SSO) will lead to lots of pain!
Hi Danny, thanks for the quick response.
So when I installed vCenter 5.1 I chose the 'Simple Install' which if logged in as a domain user will create your identity source automatically and it seems to work fine.
My concern is that I will obviously need to give other user in my department access to vSphere Web Client, and when you launch the install it presents the 'vCenter Single Sign On Information' screen with prepopulated data. It asks for the following:
'vCenter Single Sign On Administrator user' which is prepopulated with admin@System-Domain
'vCenter Single Sign On administrator password'
'Lookup Service URL: https://<SSO Machine FQDN or IP>:7444/lookupservice/sdk
Sounds to me like your browser has just autofilled the username. If you login as the local admin for the vCenter VM you should have access to vCenter proper and then be able to start adding users from your domain. You can use either the web client or the traditional vsphere client.
When you login with the admin@System-Domain you are logging into SSO only, not vCenter.
I've now worked out what I was doing, and to be honest I was being an idiot! ha ha ha must have something to do with it being Friday.
Cheers for your help
P.S. Whats with the Alex Ferguson picture?