VMware Cloud Community
cef2lion
Contributor
Contributor
‎01-14-2013 06:27 AM
Jump to solution

Vcenter 5.0 to 5.1 upgrade issue

I did a 5.1 upgrade on a VM running Vcenter 5.0. The SQL 2008 database resides on another VM. This is a test data center.

I ran the checker and it came back fine. Vcenter and SSO installed on same VM.

I installed SSO Basic. I ran the scripts before to create the database and users. Install went ok with no errors.

I upgraded the Web Client but didn't check to see if my domain account still worked as an admin.

I upgraded the inventory service without error.

I upgraded Vcenter without errors.

I upgraded my VI Client to 5.1.

I can't access Vcenter with the VI Client. I get an authentication error using my domain account. I tried the admin@System-Domain account. It says that account doesn't have permission.

I can login via the Web client using the admin@System-Domain account. I can't log into the Web Client with my domain account.

While in the Web Client it says the inventory is empty. I see none of my hosts or VMs in my test data center.

0 Kudos
1 Solution

Accepted Solutions
JCMorrissey
Expert
Expert
‎01-14-2013 08:28 AM
Jump to solution

Hi,

Have you access to any local adminitrator-level account on your vcenter server? might be able to use that account

Please consider marking as "helpful", if you find this post useful. Thanks!... http://johncmorrissey.wordpress.com/

View solution in original post

0 Kudos
8 Replies
JCMorrissey
Expert
Expert
‎01-14-2013 07:39 AM
Jump to solution

Hi,

Have you tried adding your domain to the default domains of the SSO? Just login to the webclient with admin@System-Domain and you should be able to edit these settings under Administration.

Also check under administration | Sign-on and Discovery | configuration - have you get an Identity source set ?

Should add one if not Server URL: ldap://<domain controller type: active directory domain: your AD domain alias your AD netbios name

Many tx

Many tx
Please consider marking as "helpful", if you find this post useful. Thanks!... http://johncmorrissey.wordpress.com/
0 Kudos
cef2lion
Contributor
Contributor
‎01-14-2013 08:04 AM
Jump to solution

I added my domain that my AD account is in. Its actaully a sub domain under our root domain. I added both domains and the connections tested ok.

The upgrade guide said install of SSO would create the identity sources unless there is an error on install. I had two identity sources call system-domain and VCENTER2. I can't edit them to view properties.

I can now log into the WEb Client with my AD account.

I still can't log into the VI client with any username. My AD account login says not permitted.

While in the Web client I still see no inventory.

0 Kudos
JCMorrissey
Expert
Expert
‎01-14-2013 08:15 AM
Jump to solution

So do you see even the vcenter server listed when you logged on via the web client? permissions maybe (though unlikely)

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=203320...

For the vsphere client are you ticking the "use windows credentials" box? if so you might run into issues with SSO

Try the following:

1. Login to SSO, via web client, using admin@system-domain user.
2. Under Administration > Sign-On and Discovery > Configuration > Edit the Identity source for the Domain.
3. Change your Primary Server URL for your domain from secure LDAP to Standard by changing the URL and port number.

Before:

Secure Global Catalog address: ldaps://<global_server>:3269

After:
Global Catalog address: ldap://<global_server>:3268

regards

Please consider marking as "helpful", if you find this post useful. Thanks!... http://johncmorrissey.wordpress.com/
0 Kudos
cef2lion
Contributor
Contributor
‎01-14-2013 08:24 AM
Jump to solution

I don't see Vcenter server listed in the Web Client. With my AD account or the SSO account. I'm thinking my AD account permissions didn't carry over. I'm not sure what account I can use to correct the issue if thats what I need to do.

Right now my identity is using ldap and not ldaps.

0 Kudos
JCMorrissey
Expert
Expert
‎01-14-2013 08:28 AM
Jump to solution

Hi,

Have you access to any local adminitrator-level account on your vcenter server? might be able to use that account

Please consider marking as "helpful", if you find this post useful. Thanks!... http://johncmorrissey.wordpress.com/
0 Kudos
cef2lion
Contributor
Contributor
‎01-14-2013 08:39 AM
Jump to solution

I was able to login with the Vcenter local Windows admin account and add my AD account as an admin. I'm able to log into the VI client now with my AD account and see the inventory.

Question on the identity sources for AD. What is a best practice for setting this up to an AD? Just to get things working I used the admin account to test and config the source. I assume you need to use some account but I don't want to use that admin account as the password changes. 

0 Kudos
JCMorrissey
Expert
Expert
‎01-14-2013 08:59 AM
Jump to solution

Hi,

not a best practices article per se but a v useful guide

http://www.virtuallyghetto.com/2012/10/how-to-addremove-vcenter-sso-identity.html?m=1

Please consider marking as "helpful", if you find this post useful. Thanks!... http://johncmorrissey.wordpress.com/
0 Kudos
cef2lion
Contributor
Contributor
‎01-14-2013 09:06 AM
Jump to solution

I think things are in order with the upgrade. I'm just wondering how to avoid this when I upgrade our production data center. It appears the SSO install didn't setup the indentity sources and hence our AD permissions were not carried over. I know how to get around it but it would be nice to have a smooth upgrade without this issue.

0 Kudos