vCenter

 View Only
  • 1.  SSO domain .local bad practise?

    Posted Jun 16, 2015 02:46 PM

    Hi

    When deploying vcenter 5.5 SSO (or 6.0 PSC), for the SSO details the default is Administrator@vsphere.local

    Is the "vsphere.local" a bad practise or is this the default? I ask as it just reminds me of the .local domain and I don't want to get in that trap again. Should the domain be  the AD FQDN?

    Thanks!



  • 2.  RE: SSO domain .local bad practise?

    Posted Jun 16, 2015 03:03 PM

    Well , The answer is NO . SSO 5.5 administrator username cannot be changed from administrator@vsphere.local to another user name. You can, however, create a separate administrator user for this purpose.

    Here is the Best practice and FAQ for SSO VMware KB: VMware vCenter Single Sign-On Server 5.5 FAQs



  • 3.  RE: SSO domain .local bad practise?

    Posted Jun 17, 2015 02:29 AM

    Domain 'vsphere.local" is default domain in vSphere 5.5 and early. You cannot create another domain in vSphere 5.x.

    However, PSC vSphere 6 supports your own domain name, so you can use your corporate name.



  • 4.  RE: SSO domain .local bad practise?

    Posted Jun 17, 2015 03:58 AM

    admin@System-Domain - vSphere 5.1 SSO admin account with Domain name

    administartor@vspehre.local - vsphere 5.5 SSO admin account name with Domain vSphere.local (not changeable)

    administrator@vsphere.local - vSphere 6.0 SSO admin account name with default domain vSphere.local (changeable during deployment of PSC)


    since vSphere 5.5, SSO created it's on LDAP database to keep user/group accounts info etc... you will be using this default SSO admin account to do initial administration of SSO like adding more identity source (AD/OpenLDAP). and If you wish you can delegate SSO admin privileges to other accounts too. All you got to do is make those additional accounts member of a group called Administrators within your SSO users/groups section.


    I wouldn't say using default domain name vSphere.local is bad practice but it's just that if you wanted to customise the name of it, then you weren't able to do it in version 5.5, but in latest version a bit more control is with us. Setting password of SSO admin as complex as possible would be the only advise as that account has full control on your VC inventory by default, but access and authentication can be modified quite easily by creating roles as per your requirements and assigning permissions accordingly.