Adding AD authentication to VMware SSO 5.1

With the release of VMware vCenter Server 5.1 an important new component has been released: the VMware Single Sign-On (SSO) server. It is one of the components of vCenter Server and is a requirement for installation. Through the SSO server a user now gets authenticated and receives a token that authenticates the user with other vCenter components without having to Sign-On again.

Some users ran into some minor issues when installing SSO. Most common issue is “Error 29115 Cannot authenticate to DB”. An error which I encountered myself was “Error 29155 Identity source discovery error”. According to KB 2034374 this is due to a failed attempt to automatically discover an Active Directory domain. You can click OK on this error and continue installation. Before installing the vCenter Server component it is adviced to manually add Active Directory Authentication to SSO.

Take the following steps:

  • Log in to the vSphere Web Client: https://<ip addres>:9443/vsphere-client using the basic SSO account. For a Windows install of SSO this is the user “admin@System-Domain” and for the vCenter Server Virtual Appliance it is “root@System-Domain”. The password is what you have entered during installation of SSO.
  • Go to the section Administration – Sign-On Discovery. In the middle of the screen you’ll now see the identity sources that are already present.

  • To add Active Directory if this was not already present, click the red plus sign in the middle upper menu bar.
  • In the pop-up window select “Active Directory” and fill out the form.

For my homelab environment the domain name is “vanzanten.local”, the primary and secondary URL are references to both my domain controllers. The Base DN users is the OU where the default users reside, which in my case is the same as the Base DN groups. Domain name is the FQDN and domain alias is the Netbios name of your Active Directory domain. The last section is the user account you will use to query the AD. Since it is just a home lab I use my administrator account for this. Press “Test Connection” to make sure your connection details are valid.

Still under investigation: In my test it seems that entering different values for Group and User Base DN is not working correctly. Either an interface error or a bug, but when using two different values, after saving and then editing again, both values are identical.

After you have a successful connection, click OK and you’ll see your newly created Identity Source. Next add the new identity source to the default domains by clicking “Add to default domains” in the top bar. Now your identity source will show in the lower screen. Set it to the first in the list using the arrows and DON’T forget to press SAVE.