When deploying an Embedded vCenter Server or an external Platform Services Controller, one of the configurations you will be asked for is the vCenter Single Sign-On Domain Name and Site Name as seen in the screenshot below.
In addition to troubleshooting, you will also need to know about the SSO Domain Name + Site Name if you plan on deploying additional Platform Services Controller for replication purposes or additional vCenter Servers. It is important to note that you do not need to know this information explicitly when deploying using the new Guided UI Installation. You just need to know the hostname/IP Address of your PSC as the rest of the information will automatically be obtained by the tool.
The issue only arises when you are trying to perform a Scripted Installation and this is where you will need to provide both the SSO Domain Name and Site Name and below are the instructions on retrieving this information.
First off, you will need to login to your Platform Services Controller whether that be on a Windows Server or the VCSA.
SSO Domain Name
You will find it in the following two configuration files:
Windows:
C:\ProgramData\VMware\vCenterServer\cfg\install-defaults\vmdir.domain-name
VCSA:
/etc/vmware/install-defaults/vmdir.domain-name
VCSA 6.0u2:
/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost
For more details, check out my previous blog post: vCenter Server 6.0 Tidbits Part 1: What install & deployment parameters did I use?
SSO Site Name
First, you will need to identify where your Lookup Service is running on which is located on your PSC or your Embedded VC instance. What we are ultimately looking for is Lookup Service URL which is in the following format: https://[SERVER]/lookupservice/sdk If for whatever reason you do not know where your PSC is, then you can login to your vCenter Server and find the Lookup Service URL by running the following command:
Windows:
"C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli.exe" get-ls-location --server-name localhost
VCSA:
/usr/lib/vmware-vmafd/bin/vmafd-cli get-ls-location --server-name localhost
Once we have the Lookup Service URL, we can then find the SSO Site Name by running the following command:
Windows:
"C:\Program Files\VMware\vCenter Server\python\python.exe" "C:\Program Files\VMware\vCenter Server\VMware Identity Services\lstool\scripts\lstool.py" get-site-id --url https://vcenter60-6.primp-industries.com/lookupservice/sdk"
VCSA:
/usr/lib/vmidentity/tools/scripts/lstool.py get-site-id --url https://vcenter60-6.primp-industries.com/lookupservice/sdk 2> /dev/null
VCSA 6.0u2:
/usr/lib/vmware-vmafd/bin/vmafd-cli get-site-name --server-name localhost
As you can see the process to find the SSO Site Name is not really intuitive, but I know Engineering is aware of this and has plans to simplify this in the future.
- vCenter Server 6.0 Tidbits Part 1: What install & deployment parameters did I use?
- vCenter Server 6.0 Tidbits Part 2: What is my SSO Domain Name & Site Name?
- vCenter Server 6.0 Tidbits Part 3: Finding all deployed Platform Services Controller
- vCenter Server 6.0 Tidbits Part 4: Finding all deployed vCenter Servers
- vCenter Server 6.0 Tidbits Part 5: New method of patching the VCSA
- vCenter Server 6.0 Tidbits Part 6: Customizing VCSA’s DCUI
- vCenter Server 6.0 Tidbits Part 7: Connecting to SSO/PSC using JExplorer
- vCenter Server 6.0 Tidbits Part 8: Useful ldapsearch queries for vmdird
- vCenter Server 6.0 Tidbits Part 9: Creating & managing SSO users using dir-cli
- vCenter Server 6.0 Tidbits Part 10: Automating SSO Admin configurations
- vCenter Server 6.0 Tidbits Part 11: Automate SSO Admin password change
- vCenter Server 6.0 Tidbits Part 12: New methods of downloading Support Bundles for VCSA / PSC
Major respect for this blog!
I am wondering exactly what the SSO Domain Name is good for, why it is used and what domain name I _should_ give to my sites. Does it mirror Active Directory?
If you use the same domain name for SSO and your AD, you won´t be able to create an Identity Source out of your AD once your vCenter is deployed.
Actually, look at the screenshot at the beginning of the post; it tells you explicitly not to do it.
Hi William,
I just upgrades my vcsa from 5.5 to 6 and I noticed that there was no Single Sign-On site option in the wizard. How van I join the updated vcsa to the new SSO site?
You will need to either use the new Guided UI Install or Scripted Install, both of which are inside of the VCSA ISO. Take a look at the vSphere 6.0 documentation for more details.
Hello, I try to change my SSO domain name (because I put an IP address during installation) but could not find a solution
Do you have any idea
Thank you in advance
You're actually referring to the IP Address of your PSC, not the SSO Domain Name (which is different).
You can only change the IP Address if you used FQDN when you deployed, else it is not possible to change the IP Address after deployment. You'll see that you're not allowed to when using the DCUI interface
Hello Lam,
Thank you for your reply,
I'm not sure I understand !
When installing I put an IP address in "system name":
https://www.dropbox.com/s/6g1nmb2llqybufq/sso2.JPG?dl=0
Now I want to replace the IP address with a FQDN
Possible?
Thanks for your help
On one of my upgraded vSphere 6 labs the lookup service or SSO server hostname returns as a short name, not an FQDN. Do you know if and how I can change that to an FQDN?
Hi there - any idea on why the constraints for the SSO Domain Name got changed between Beta and GA 6.0? with the Beta installer I could make the SSO domain as "vcsa1.mk-38" - but when I tried to use that same domain name in the GA installer (for a fresh install for GA) it won't accept anything beyond the "vcsa1.mk" string except additional alpha characters (neither - nor 38 work any more)
Hi William,
I had a quick question in regards to PSC. If you need 2 Platform Services Controllers (PSC) to replicate between one another, do you need a Load Balancer?
I guess, I am a bit confused reading the deployment paper from VMware as to Load Balancer. My ultimate goal in this is, to have 2 PSC running, and if one crashes, you point the 2 Vcenters to the other PSC.
I hope the question is clear....
Thanks in advance,
PSC replication does NOT need a load balancer, as long as it's joined to the same SSO Domain, then replication is done automatically.
If you want to provide PSC HA where one crashes and other applications that uses the PSC like VC or vRA for example, then a Load Balancer will be required. For more details, please take a look at the WP here https://www.vmware.com/files/pdf/techpaper/VMware-vCenter-Server-6-0-Availability-Guide.pdf
Most usefull as always! Thank you!
Weird... /usr/lib/vmidentity/tools/scripts/lstool.py doesn't exist in my VCSA.
It's actually:
/usr/lib/vmware-vmafd/bin/vmafd-cli get-site-name --server-name localhost
I just downloaded V6 Update 2 and when I try to run this command I keep getting command not found, any idea why?
Quiestion , im deploying multiple psc's ( 4 planned ) but when im trying to join an existing site in the sso i only have 1 name in the pull-down menu whereas i have 2 sites , so something is messed up but i'm trying to understand why my other site is not showing up in the list , the site is actually in the same vcenter but its just the list that doesn't show the site when im trying to deploy a psc. any suggestions
regards
Robbert
Then your other PSC is most likely not part of the same SSO Domain, else it would be visible if you configured it as a new Site.
easier - c:\program files\vmware\vcenter server\vmafd-cli.exe get-site-name --server-name xxxxxxxxx
c:\program files\vmware\vcenter server\vmafd-cli.exe get-domain-name –server-name xxxxxxxxx
While i installed VCSA 6, i have given my SSO Domain Name same as my internal Domain Name which created lots of authentication issues. Request you to help me to change the VCSA SSO Domain Name
Thanks so much for sharing the details~ I ran into a stupid situation by carelessly created a customized sso domain and site, and the client accidentally closed. After a while when I try to reconnect to the new vcsa I realized I forgot the sso-domain name... Thanks again~
Really good information thank you. I want to consolidate 2 SSO domains into 1 as part of a 5.5->6.0 vCenter upgrade. Is there hope? Any suggestions for process or documentation?
Willian,
Regarding SSO domain setup (PSC) on a recovery site for use of SRM 6.x, can I join to an existent SSO domain or this answer only depends on wan link latency?
Hi all,
I have difficulties with these two concepts: SSO Domain Name and SSO Site name. Anyone can explains me the differences between them and why are so importants when I must upgrade/migrate my farm vs ver 6.0? I must upgrade my farm 5.5 to ver. 6 next month (8 vCenters), and I don't know how these parameters must be configured.
Thank you!
Francesco
Could you please tell me how to update the SSO Site name ? I have used a name and I want to change it
Hi, is there anybody else who got a problem with an SSO Domain name?
in my case, we have a AD-domain called town.44-mycompany.com
it works perfectly with the AD, but if I try to use this for SSO-Domain in vsphere-Setup i get errors.
I'm note able to add the Applaince to the AD (without getting an error - just not possible) or with the VIM-Setup on Windows 2012 R2.
There I get the message referr to RFC 1035, letter at the beginning and alphanumeric on the end... but in gods name, that is from 198X - now in 2017 there are lot's of domains with numbers in the beginning of the domainname and for some reason, you use this for the AD...
Hello William, I have a customer who has accidentally given the same name to the SSO domain as his AD. Is there a supported process to update the SSO domain after the PSC has been deployed. This is vC appliance 6.5 with embedded PSC. I ask this because redeployment is going to be a difficult task given the current state of deployment.