We have installed the new vCenter 5.50b which claim to be compatible with vCAC 6.
Now, when we install vCAC, the "Default Tenant" gives an error. We create a new tennant and works correctly.
Is this ok?
Is this expected using vCAC with the new vCenter SSO?
Thanks a lot.
Not at all. The installation finished without an error.
But when I try to configure the "Default Tenant" gives me an error and then I cannot configure the AD nor add users to the tennant. I've attached 3 screenshots to show you.
Despite that, I've could configure a new tenant without problem and configure the AD with the same parameters. Works great, but you need to write a longer URL (https://vcac.domain.net/org/tenant).
This happend only if we use the Single Sign On from the new release of vCenter who claims to be compatible with vCAC 6.
From I know, the default tenant shouldn't actually be configured from vCAC. Its only role is to act as "Tenant Zero" that can initially configure the system, and not used by actual users other than the admin.
The "vCAC 6.0 Installation and Configuration Beta v7.pdf" file, in the page 39 says: "After installation, you must configure the default tenant or create additional tenants (if you want to use a multi-tenant environment" and then adds: "The system administrator can then configure the default tenant or create additional tenants".
When you use the SSO Virtual Appliance that came with vCAC, this works ok. But using the sso from the new vCenter you cannot configure the default tenant. Maybe this is ok, but it shows some error screens (attached in the previous message).
As I said before, configuring a new tenant works just fine.
I am having this same issue using the 5.50b SSO. My understanding is that the default tenant is used for hardware reservations / group creation that is then available to all tenants.
I cannot register an AD identity store to assign rights to a Tenant Admin or IaaS Admin to configure the resources within vCAC. The administrator role is very limited by default. AFAIK there is not superuser account to override this. So has this functionality now changed or is there an SSL cert that is missing that the vCAC Appliance need?
First a couple questions: did you do a completely new install of vCAC when you switched to using the vCenter 5.5b SSO? Or did you use an existing install and change the SSO it was registered with? Was SSO already configured in vCenter before you upgraded it and then attached to vCAC?
Then a few comments:
1) You definitely SHOULD be able to configure the default tenant with an ID store and use it for regular use. This actually preferable if you don't have a need for multiple tenants. You will get some benefit using the default tenant, such as native AD integration via SSO, which you don't achieve with added tenants.
2) Tenant and ID store data is actually saved in SSO, so I'm not sure if any updates are needed to an existing upgraded SSO instance post-upgrade; will check on that.
Good examples of the 3 possible tenant configurations your vCAC deployment might adopt are outlined in the System Administration guide starting on page 21. I think you'll see this repeated in one or more or the other guides as well. If you have support I'd suggest opening up a case or seeing if you can get a field case opened by your sales team.
Hey, here are some answers to the questions you have asked:
I've opened a ticket with VMware about this so if I find anything out today, i'll let you know on this thread.
Has anyone made it passed this issue? I am working on an install now and it seems like we have also run into this issue. Following the install guides and various posts to the letter and still see this issue.
It basically wont work until SP1. It's to do with your vCenter SSO and the fact it is using integrated auth as well. if you look in the vCAC logs you will be able to see an access denied error or something along the lines.
This guy hits the nail on the head: UPDATE: vCenter 5.50b SSO and ID Store with Native AD not working
Sources are saying that it should work with a new tenant.. it didn't for me so I just reverted back to using the Identity appliance. It's a pain, but I guess all we can do is wait.