The new vCenter SSO (Single Sign-On) in vSphere 5.1 can support multiple Identity Sources (Active Directory, OpenLDAP and Local OS) and these configurations can all be managed by using the vSphere Web Client. Here are some additional documentation as well as a video on how to managing Identity Sources using the vSphere Web Client.
However, if you wish to manage the Identity Sources through the command-line for automated deployments, you probably do not want to use the GUI. Luckily, there is a vCenter SSO CLI that you can use on both a Windows deployment as well as on the VCSA (vCenter Server Appliance).
In the examples below, I will show you how to add an Active Directory Identity Source to both a Windows deployment as well as a VCSA deployment using the command-line.
Adding Active Directory Identity Source to Windows vCenter SSO Server
Before getting started, you will need to know the vCenter SSO Administrator password. This is the password that you had configure during the installation of vCenter SSO for the admin@System-Domain account.
Step 1: Change into the C:\Program Files\VMware\Infrastructure\SSOServer\utils directory and you will be using the rsautil command-line tool. To get a list of help options for managing Identity Sources, run the following command:
rsautil manage-identity-sources
Step 2: Run the following command (substitute the values for your own enviornment) :
rsautil manage-identity-sources -a create -u admin -p !VMware123! -r ldap://fullerene.primp-industries.com --ldap-port 3268 -d primp-industries.com -l PRIMP-IND --principal-base-dn DC=primp-industries,DC=com --group-base-dn DC=primp-industries,DC=com -f "" -L *protected email*
Note: When you login into the vSphere Web Client, the username for the vCenter SSO account is "admin@system-domain" but for the CLI, it is just "admin". If you do not have a failover LDAP Server, specify "" for -f flag.
Here is a screenshot of adding the Active Directory Identity Source:
Step 3: You can also confirm the configurations by performing the "list" operation by running the following command:
rsautil manage-identity-sources -a list -u admin -p !VMware123!
Adding Active Directory Identity Source to VCSA
For the VCSA, there are few additional steps as the vCenter SSO Administrator account "admin" does not contain a default password as noted in this article. You can either follow the instructions in that article to set a password for the "admin" user and then jump to Step 3 OR you can perform all required steps using the command-line.
Step 1: We first need to set the vCenter SSO Master Password as it is required to change the "admin" user account. Since the vCenter SSO Master Password is auto-generated during installation, we will recover the account which will then allow us to set a password of our own choosing. Run the following two commands and in the second command, you will specify the vCenter SSO Master Password of your choice.
source /etc/vmware-sso/keys/recovery.cfg
/usr/lib/vmware-sso/utils/ssowrench manage-secrets -a change -u "$SSO_RECOVERY_USERNAME" -p "$SSO_RECOVERY_PASSWORD" -N vmware123
Note: Do not forget the vCenter SSO Master Password that you have selected, as there is no way to recover the account after this.
Step 2: Now that we have the vCenter SSO Master Password, we can now set a password for the "admin" user. Run the following command and specify the Master Password (-m flag) as well as a new password (-p flag) for the admin (-u flag) user.
/usr/lib/vmware-sso/utils/ssowrench reset-admin-password -u admin -p '!VMware123!' -m vmware123
Step 3: Once we have a password set for the "admin" user, we will be using the same vCenter SSO CLI utility as we did in the Windows vCenter Server deployment but in the VCSA it is called ssowrench and it is located under /usr/lib/vmware-sso/utils
Run the following command which accepts the same set of options as the Windows version (substitute the values for your own enviornment).
/usr/lib/vmware-sso/utils/ssowrench manage-identity-sources -a create -u admin -p '!VMware123!' -r "ldap://fullerene.primp-industries.com" --ldap-port 3268 -d primp-industries.com -l PRIMP-IND --principal-base-dn "DC=primp-industries,DC=com" --group-base-dn "DC=primp-industries,DC=com" -f "" -L *protected email*
Here is a screenshot of adding the Active Directory Identity Source:
Step 4: To view all Identity Sources, you can run the following command (as seen in the screenshot above):
/usr/lib/vmware-sso/utils/ssowrench manage-identity-sources -a list -u admin -p '!VMware123!'
Note: If you do not wish to specify any of the credentials on the command-line, the utility in both Windows and VCSA will automatically prompt for input.
Loren says
Awesome! This is exactly what I was looking for! I used the information in several of your posts and my own research and testing to cobble together a script that configures the VCSA exactly the way I want, including CA-signed certs. I couldn't configure the AD identity source because I couldn't figure out how to set the password for the admin user. Tomorrow I'll add this. Script is posted to the VMware Community thread discussing how to change certs on the VCSA and Windows versions of the services.
http://communities.vmware.com/message/2124455#2124455
Cheers,
-Loren
Loren says
Working like a charm. I updated the script I posted to the community thread.
How about a command line method to set the AD domain as a default domain in the identity source configuration? And not to be greedy, but perhaps a way of adding an AD group as an SSO administrator... 🙂
Thanks again!
-Loren
Anonymous says
Seriously!
Anonymous says
Thanks for this post, I frequently find your blog helpful. Maybe something in my install went wrong, but I don't have any of the SSO management tools that I should have in the Web Client. I used the command line you referenced to add my active directory domain to the SSO configuration. Now I am able to give my AD users permissions to VC. This "feature" of VC 5.1 has been nothing but an annoyance to me so far. I hope others find 5.1 easier to use.
Anonymous says
Is there a way to reset the master password on an already deployed SSO server?
Anonymous says
The Master password is lost.
Anonymous says
You can set the passwords using the following commands:
vCenter Single Sign On Master Password:
\utils\rsautil.cmd manage-secrets -a change -m -N
vCenter Single Sign On Administrator password:
\utils\rsautil.cmd reset-admin-password -m -u -p
Francesco says
One can *change* the master password if he knows the current one. THERE IS NO DOCUMENTED WAY TO RECOVER OR RESET THE FORGOTTEN MASTER PASSWORD. The posted solutions in Internet are referring to the admin@system-domain password reset. Nothing to do with the master password.
Seth says
Everyone loves it when people get together and share thoughts.
Great blog, keep it up!
Ross says
Hi
Firstly, this post is excellent thankyou for sharing this information in a such a clear and concise way - it has helped me out massively.
Secondly, i have a very similar issue whereby i have changed the IP addresses of my 2 LDAP AD domain controllers and now I cannot login to vsphere using SSO. This post has led me to realise that it is because my VCSA SSO is configured to use the old IP addresses for ldap. Since the addresses have already been changed i can no longer login to the GUI to update this.
Therefore i need to update my existing identity sources to the new ip addresses, from the VCSA command line. Both my primary URL and failover URL need to be updated with the new ips as so: Primary URL: ldap://10.x.x.x:3268 Failover URL: ldap://10.x.x.x:3268
Is it possible to update these existing values from CLI instead of creating a brand new identity source?
Thanks
Ross.
Badri says
I am looking for similar info for 6.0. Are there any plans..?
Vincent says
Great post! Quick question: we setup our VCSA (6) in an old/test Active Directory domain and then moved it to our new domain; we still have the old/first/original SSO Identity Source listed in the Single Sign-On -> Configuration, and I can't delete it- the option is greyed out. Any suggestion on how I can remove this? Thank you.
William Lam says
You'll probably need to un-join from that domain. You should be able to do so from the CLI using the domainjoin-cli and that should hopefully clear the configuration
jfordbos says
I'm in the same boat as Vincent. Have basically a 'ghosted' domain's identity source listed. Can't 'edit' OR 'delete'. Was joined to the domain, so I removed it per Wilson's comment but unfortunately the ghosted identity source is still there. Is there a cmd line approach to 'forcibly' (lack of a better word) remove an identity source from a given SSO's config? I'm running VCSA 6.0 U1 embedded (lab, not prod of course---that's why I'm posting here, ha). Anyway, when I attempt to add that domain as an identity source (with Mr. Ghost hanging around) I can't.
Another possibility (since I don't exactly have a ton vested in the lab domain itself) would be to rename the domain and then just add THAT as a new identity source. But I'd still like to know how I could 'forcibly' remove what is in essence an invalid/'corrupt' identity source entry. Thoughts?
Frank Marroquin says
How do I do this for the 6.5 VCSA?
Leonid says
Hi,
Is there any utility to replace this in vCenter 6.5/6.7? In the new editions, the rsautil does not exist.