VMware Cloud Community
GSS33
Contributor
Contributor

SSO domain .local bad practise?

Hi

When deploying vcenter 5.5 SSO (or 6.0 PSC), for the SSO details the default is Administrator@vsphere.local

Is the "vsphere.local" a bad practise or is this the default? I ask as it just reminds me of the .local domain and I don't want to get in that trap again. Should the domain be  the AD FQDN?

Thanks!

0 Kudos
3 Replies
Anjani_Kumar
Commander
Commander

Well , The answer is NO . SSO 5.5 administrator username cannot be changed from administrator@vsphere.local to another user name. You can, however, create a separate administrator user for this purpose.

Here is the Best practice and FAQ for SSO VMware KB: VMware vCenter Single Sign-On Server 5.5 FAQs

Please consider marking this answer "correct" or "helpful" if you found it useful. Anjani Kumar | VMware vExpert 2014-2015-2016 | Infrastructure Specialist Twitter : @anjaniyadav85 Website : http://www.Vmwareminds.com
0 Kudos
avn17
Contributor
Contributor

Domain 'vsphere.local" is default domain in vSphere 5.5 and early. You cannot create another domain in vSphere 5.x.

However, PSC vSphere 6 supports your own domain name, so you can use your corporate name.

0 Kudos
npadmani
Virtuoso
Virtuoso

admin@System-Domain - vSphere 5.1 SSO admin account with Domain name

administartor@vspehre.local - vsphere 5.5 SSO admin account name with Domain vSphere.local (not changeable)

administrator@vsphere.local - vSphere 6.0 SSO admin account name with default domain vSphere.local (changeable during deployment of PSC)


since vSphere 5.5, SSO created it's on LDAP database to keep user/group accounts info etc... you will be using this default SSO admin account to do initial administration of SSO like adding more identity source (AD/OpenLDAP). and If you wish you can delegate SSO admin privileges to other accounts too. All you got to do is make those additional accounts member of a group called Administrators within your SSO users/groups section.


I wouldn't say using default domain name vSphere.local is bad practice but it's just that if you wanted to customise the name of it, then you weren't able to do it in version 5.5, but in latest version a bit more control is with us. Setting password of SSO admin as complex as possible would be the only advise as that account has full control on your VC inventory by default, but access and authentication can be modified quite easily by creating roles as per your requirements and assigning permissions accordingly.

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified
0 Kudos