SRM Authentication

Hi All,

I am planning for implementation of SRM 5.1 in vShere 5.1 and have little doubt about authentication of all the components involved here, i have AD in the environment already.

We need authentication at multiple level

vCenter service, vCenter DB

SRM Service, SRM DB



I want to know what is the best practice for the authentication ?

Creating a single Service Account and use it for everything vCenter, DB, SRM, SSO etc.

or how to manage this part, I am looking for some best practice in this area, please help.



0 Kudos
2 Replies

This comes down to how your are deploying your environment.

  • Are you going to have multiple vCenters with SRM?
    • Meaning different SRM Stacks (PROD Stack, CORP Stack etc etc)
    • Each Stack would have 2 vCenters?
  • How many sites will you have (Physical Data Centers)?
  • Planning to have SSO install for each vCenter?

Here is what I have done in the past (and currently) with SSO, SRM, VCENTER accounts

  • Each Datacenter gets its own Infrastructure Database Server (to host the Diaster Recover Infrastructure)
  • Each physical Datacenter gets One SSO Server.
    • Each SSO server gets its own AD Service Account to run from
    • That account has the correct rights to its own SSO DB located to the local Database Server in that Datacenter
    • The SSO Install is extremely tricky when it comes to Databases, I am not going into those issues for this reply. Staying on topic but wanted to mention it
  • Each physical Datacenter gets One Web Server.
    • This server in my designs is actually hosted on the same box as SSO
    • Web Server Service is using the same SSO Service Account of the server its installed on (since they are on the same box)
  • Each individual vCenter gets its own Service Account
    • Each vCenter DB is located on the local Databse Server in the Datacenter its "physically sitting"
    • Each local vCenter in Datacenter authenticates to its local SSO Server for Web Client Access

Now the SRM gets a little trickier.

  • Each Stack uses the same Service Account for SRM.
  • Different SRM Stacks get different Service Accounts
    • In other words: Both SRM installs on both vCenters in PROD are using the same Service Account. However both SRM installs on both vCenters in CORP are using the same account but that account is different from the one in used in PROD
  • Each SRM Stack's Service Account has its proper ownership to the SRM Databases

This model works well with Primary and Secondary Sites with a Diaster recovery Strategy. Along with different environments at those site such as Production, QA, Staging, Development and Corporate.


Boston Tech Guy


Thanks a lot for your help,

I still have some confusion.

I have two stack/sites Prod & DR having multiple clusters.

i am installing vCenter and SRM (with SRA) on 2 different servers. Should I create 2 AD Service Account (one for vCenter and one for SRM)

and same SA can be used for their respective DB access as well.

again the different SA on DR site in similar manner ?



0 Kudos