vSphere 6.5 – Page 11

Project USB to SDDC - Part 1

04.05.2017 by William Lam // 2 Comments

A couple of weeks back, Alan Renouf and I co-presented at the Sydney and Melbourne VMUG UserCon, here are some great write-ups about the events here and here. We were very honored to have been invited out and to also deliever the closing keynote. Having traveled halfway around the world, we thought it was only fitting to share something really special.

For the last couple of months, we had been working on a small pet project that I personally had been referring to as the "vGhetto SDDC". This was not something we had not shared with anyone before and thought the VMUG UserCon was the perfect venue to demo our new project. For the session, we decided to rename the project/session to USB to SDDC (better ring than the previous title) which might give you a hint on what the project might be about.

The inception for this project really stemmed from the work we did at last years VMworld Hackathon which was another idea that both Alan and I had came up and worked with the VMware Code team to deliver at both VMworld US and Europe. Like all great Automation stories, the motivation for this project was born out of pure laziness. With the huge success of the Hackathon at VMworld US, there was a huge demand for us to also deliver it again at VMworld Europe.

[Read more...]

Maximum number of vCenter Servers per Single Sign-On (SSO) Domain

03.29.2017 by William Lam // 9 Comments

This particular question and its variations have been raised quite a bit lately by our field and customers. For me, this was an opportunity to see if we can provide some additional clarification and help explain some of the nuances that may have been causing some of the confusion around the supported maximums for both vCenter Server and the Platform Services Controller (PSC).

In the vSphere 6.5 Configuration Maximum, there are three specific maximums that helps us answer our question on the maximum number of vCenter Servers per vCenter Single Sign-On (SSO) Domain. I will go through each of the maximums and provide some additional context that will help us derive the answer to our question.

The first is the "Linked vCenter Servers" which defines the maximum number of vCenter Servers that can be supported in an Enhanced Linked Mode (ELM) configuration. What is interesting about this particular maximum is that it actually answers the majority of our question. By definition, an ELM consists of a single SSO Domain. This then means that you can only have a maximum of 10 vCenter Servers per SSO Domain.

vCenter Server Maximum

Configuration	Maximum
Linked vCenter Servers (w/External PSC)	10
Linked vCenter Servers (w/Embedded PSC)	15

Note: As of vSphere 6.7, you can have up to 15 Embedded VCSA's within an ELM.

The second is the "Maximum PSCs per vSphere Domain" which defines the maximum number of PSC's that can be part of a single SSO Domain, pretty straight forward. The third is the "Maximum PSCs per site behind a load balancer" which just adds an additional constraint when using a load balancer with your PSCs.

Platform Services Controller Maximum

Configuration	Maximum
Maximum PSCs per vSphere Domain	10
Maximum PSCs per site behind a load balancer	4

[Read more...]

vSphere 6.5b prevents vSphere Web Client logins for users w/o VC permissions

03.14.2017 by William Lam // 8 Comments

A patch update was just released for vCenter Server 6.5, dubbed vSphere 6.5b. While glancing through the release notes, I caught one interesting "resolved issue" which I thought was worth sharing.

Users with no vCenter Server permissions can log in to the vSphere Web Client

Users without permissions can log in to the vSphere Web Client. Users can click the menu options, but no inventory is displayed.

Users with no permissions can no longer log in to the vSphere Web Client.

To enable the login, set the allow.user.without.permissions.login = true property in the webclient.properties file.

This particular behavior has been something that has confused a few customers and has been asked about since the introduction of vCenter Single Sign-On (SSO) service. The issue or rather the confusion is that prior to the SSO service, vCenter Server handled both authentication as well as authorization.

With SSO, authentication was no longer being handled by vCenter Server and this meant that even if you had no permissions in vCenter Server but you could authenticate to SSO (especially common when Active Directory is configured), you would still be allowed to login to the vSphere Web/H5 Client.

Although vCenter Server would does the right thing and does not display any inventory if you do not have any permissions, it was still not a desired behavior in addition to the confusion it caused. I was pleasantly surprised to see that we have changed this default behavior by disallowing logins to the vSphere Web/H5 Client if a user has no VC permissions. Below is the message you will receive if you try to login without VC permissions.

If you wish to revert to the original behavior, you can do so by simply adding the allow.user.without.permissions.login = true setting into the vSphere Web/H5 Client configuration file (webclient.properties) and restart the vSphere Web/H5 Client service. I think many of our customers will appreciate this fix as well as the new default behavior!