11 Replies Latest reply on Sep 5, 2018 4:21 AM by Beata

    Can I change the default vsphere.local domain for SSO post-installation?

    henry857 Novice

      I made an ooopsy in my lab. My windows domain is also vsphere.local. I think this is why I can't add my AD as an identity source.

       

      What is the quickest way to clean this up?

        • 1. Re: Can I change the default vsphere.local domain for SSO post-installation?
          Abhilashhb Virtuoso
          VMware EmployeesvExpert

          What error does it throw when you try adding AD authentication. You cannot change the SSO domain. It will always be vsphere.local.

          ------------------------------------------------------------------------------------------------------------------------------------
          If you find this or any other answer useful please mark the answer as correct or helpful.
          Abhilash HB
          | Blog : http://vpirate.in | Twitter : @abhilashhb |

          • 2. Re: Can I change the default vsphere.local domain for SSO post-installation?
            henry857 Novice

            I go to administration --> Configuration --> Identity Sources --> +

             

            I then select the AD integrated windows authenticated radio button, put in vsphere.local as my windows domain then keep 'use machine account' radio selected. I receive the message that is attached below.

             

             

            10-27-2013 1-54-43 AM.jpg

            • 3. Re: Can I change the default vsphere.local domain for SSO post-installation?
              Abhilashhb Virtuoso
              vExpertVMware Employees

              I think you have to change the domain name(rebuild/change AD domain name) if you want to add AD authentication. AFAIK you cannot change the SSO domain i.e vsphere.local.

              ------------------------------------------------------------------------------------------------------------------------------------
              If you find this or any other answer useful please mark the answer as correct or helpful.
              Abhilash HB
              | Blog : http://vpirate.in | Twitter : @abhilashhb |

              • 4. Re: Can I change the default vsphere.local domain for SSO post-installation?
                schepp Virtuoso
                vExpertUser Moderators

                Hi,

                 

                as abhilashhb said, you can't change the default SSO domain. You will have to change your Windows domain name.

                 

                There are some articles in the MS Technet on how to do it. For example this: http://technet.microsoft.com/en-us/library/cc738208(v=ws.10).aspx

                 

                Regards

                • 5. Re: Can I change the default vsphere.local domain for SSO post-installation?
                  Zulu_Zeffir Lurker

                  I know this post is dated but this is not your problem from my understanding.  Take a look at the link below and it states clearly the vsphere.local domain is used internally only by the SSO server. 

                   

                  https://communities.vmware.com/message/2290905

                  • 6. Re: Can I change the default vsphere.local domain for SSO post-installation?
                    henry857 Novice

                    Zulu,

                     

                    You're correct. vsphere.local is only used by SSO internally, meaning vsphere.local should not conflict with anything external to itself. But in my situation, the conflict is happening internally within SSO. It seems to me that SSO treats all domains equal, hence why I cannot add a vsphere.local windows domain. This was not my first 5.5 build and I never ran across this error - I may troubleshoot further to confirm/correct this but it's not on my radar.

                    • 7. Re: Can I change the default vsphere.local domain for SSO post-installation?
                      Zulu_Zeffir Lurker

                      I understand now, I suppose depending on how many windows machines you have it would probably be much simpler to migrate to a different AD domain than try to understand the inner workings of the SSO server. 

                      • 8. Re: Can I change the default vsphere.local domain for SSO post-installation?
                        ian fletcher Novice

                        Hi Henry857,

                         

                        I stumbled on this post while looking at the impact of the new vSphere 6 option that allows you to change the built in SSO Domain of vsphere.local and noticed that your post hadn't been flagged as answered.

                         

                        I think the issue (as you probably worked out a long time ago) is that while the SSO vsphere.local doesn't have any AD dependences. However it makes sense you can't add another domain to SSO in order to authenticate users when SSO already has a domain of the same name. This would be the case with two different Windows domains that happened to have the same name.

                         

                        It's a case of which AD would SSO pass the username / password to in order to authenticate. So in your case if SSO had allowed you to add an Windows domain of vsphere.local when you enter administrator@vsphere.local which domain should SSO authenticate the credentials against?

                         

                        Hope that makes sense.

                        • 9. Re: Can I change the default vsphere.local domain for SSO post-installation?
                          sarikrizvi Enthusiast

                          vSphere Domains Name

                           

                          1. Each Platform Services Controller is associated with a vCenter Single Sign-On domain

                           

                          2. The domain name is used by the VMware Directory Service (vmdir) for all Lightweight Directory Access Protocol (LDAP) internal structuring

                           

                          2. Default domain name - vsphere.local for all vSphere versions

                           

                              Condition I -

                                         a. Your vSphere domain name is (vsphere.local) till vSphere 5.5 and you don't have option to change it.
                                         b. If you are upgrading from vSphere 5.5 to 6.x then your vSphere domain name would remains same (vsphere.local) and you don't have option to change it.

                           

                              Condition II -
                                         a. When you install a Platform Services Controller, you are prompted to create a vCenter Single Sign-On domain or join an existing domain

                                         b. With vSphere 6.0 and later, you can give your vSphere domain a unique name ( you can change domain name now in fresh/new installation)
                                              6-vCSA-Install-Set-SSO-information.png

                                        Note :- To prevent authentication conflicts, use a name that is not used by OpenLDAP, Microsoft Active Directory, and other directory services.

                                                     You cannot change the vSphere domain to which a Platform Services Controller or vCenter Server instance already belong
                           

                          SSO Sites

                           

                          1. You can organize SSO domains into logical sites.
                          2. A site in the VMware Directory Service is a logical container for grouping PSC instances within a vCenter Single Sign-On domain.

                          3. it’s time to name the site where this SSO server is going to live. This is Site A or you could give name of the city/environment where the server lives ( vSphere 5.5, 6.x)

                                                sitea-sso-site.jpg

                           

                          CMDs to get info...

                           

                          To find your SSO Domain Name:

                          /usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost

                           

                          To find your SSO Site Name:

                          /usr/lib/vmware-vmafd/bin/vmafd-cli get-site-name --server-name localhost

                           

                          To find you which PSC your vCSA is pointing to:

                          /usr/lib/vmware-vmafd/bin/vmafd-cli get-ls-location --server-name localhost

                          /usr/lib/vmware-vmdir/bin/vdcrepadmin -f showservers -h localhost -u administrator

                          • 10. Re: Can I change the default vsphere.local domain for SSO post-installation?
                            derrellb Lurker

                            You can always deploy an external PSC and repoint your VCSA to that External PSC.  You will have to create a new name for the domain though.  So your VM environment will be "New-Name.local", and the Windows domain can remain the same.

                            • 11. Re: Can I change the default vsphere.local domain for SSO post-installation?
                              Beata Novice
                              VMware Employees

                              derrellb Actually, in vSphere 6.0 and 6.5 you can't repoint vCenter Server to PSC that has been deployed in different SSO domain.

                               

                              Cross SSO domain repointing is only supported with Platform Services Controller 6.7 and vCenter Server 6.7 (and in 5.5 as well ).

                               

                              Repoint vCenter Server to External Platform Services Controller in a Different Domain