Labcoat
Enthusiast
Enthusiast

Can SSO just use the local OS users and not AD?

Jump to solution

We are small: 3 hosts with approx 40 VMs.  I only need one server to do all my vCenter stuff, and that's how I've operated through 4.1.

I plan on doing a simple install when upgrading to 5.1.  I would rather _not_ deal with Single Sign-On discoverying, adding and depending on my Active Directory if I can help it.  From reading the vSphere ESXi vCenter Server 5.1 Upgrade Guide, around pages 30-31, it appears I can indeed just use SSO with local users, and not need it to discover AD at all.  Then again, it isn't exactly clear to me.

Here's what it says:

Page 30-31

How vCenter Single Sign-On Affects vCenter Server Upgrades:

When you upgrade to vCenter Server 5.1, the upgrade process installs vCenter Single Sign-On first and then upgrades vCenter Server....

In vCenter Server 5.1, if vCenter Single Sign-On is ... on a machine that is joined to an Active Directory domain, Single Sign-On will automatically discover the existing Active Directory domain and add it as an identity source during the Single Sign-On installation process. If Single Sign-On is not running on a virtual machine or physical machine that is in the same domain as Active Directory, you must use the vSphere Web Client to log in to vCenter Server and add the Active Directory domain to Single SignOn.

If you install vCenter Single Sign-On and vCenter Server on the same physical machine or virtual machine, Single Sign-On recognizes existing local operating system users. After the upgrade, you can log in to vCenter Server with a registered local operating system user ID.

In vCenter Server 5.1, the term "local operating system users" refers to those local users in the Single Sign-On host machine instead of the vCenter Server host machine or virtual machine. After the upgrade, if no super administrator remains (the administrative user or group for the root folder), you must provide a valid user or group to be used as super administrator during installation.

So I can just be logged-in local admin on my vCenter Server, install SSO, then the rest, and be done?  No need to attach AD?

PS: my current 4.1 vCenter Server is indeed a member of our AD (Windows Server 2008), but this is mainly just to do WSUS and such.  I do not require AD otherwise.

0 Kudos
1 Solution

Accepted Solutions
admin
Immortal
Immortal

tl;dr: Yes your guess is correct, local users work with SSO, there is no need for AD users.

long version:

I would still install it as a domain user, if the auto discovery fails don't bother about it. As long as you use Simple Install (I would rather advise you to install the components one after another) or install SSO in Basic Mode you will be able to use your local users.

If you ever decide to need AD users they can always be added at any later stage.

If installing SSO without using Simple Install be sure to install in Basic Mode as Multisite and HA Mode do not support local system users.

View solution in original post

0 Kudos
1 Reply
admin
Immortal
Immortal

tl;dr: Yes your guess is correct, local users work with SSO, there is no need for AD users.

long version:

I would still install it as a domain user, if the auto discovery fails don't bother about it. As long as you use Simple Install (I would rather advise you to install the components one after another) or install SSO in Basic Mode you will be able to use your local users.

If you ever decide to need AD users they can always be added at any later stage.

If installing SSO without using Simple Install be sure to install in Basic Mode as Multisite and HA Mode do not support local system users.

View solution in original post

0 Kudos