Today we'll cover another objective from VCP-DCV 2019 certification and we'll talk about VMware clusters. Chapter after chapter we're getting closer to fill the blueprint objectives and help students to study and pass the Professional vSphere 6.7 Exam 2019. Today's chapter: VCP6.7-DCV Objective 4.8 – Configure an SSO domain.
You should not rely on our information only, but use those guides as a complementary resource. Perhaps it is also a good idea to download the older VCP6.5-DCV study guide PDF as the structure of each chapter is much more detailed and IMHO gives better support to study.
Check out: VMware Certification Changes in 2019. No mandatory recertification after 2 years. Older certification holders (up to VCP5) can pass the new exam without a mandatory course, only recommended courses are listed).
You can become VCP-DCV 2019 certified even if passing the VCP6.5-DCV exam. Did you know?
To become VCP-DCV 2019 certified you have 3 different choices of exam:
- Professional vSphere 6.7 Exam 2019
- VCP6.5-DCV: VMware Certified Professional 6.5 – Data Center Virtualization exam (our VCP6.5-DCV Study Guide Page which is complete)
- VCP6.5-DCV DELTA: VMware Certified Professional 6.5 – Data Center Virtualization Delta exam
Note: You must be VCP5, or VCP6. If, not, you must attend a class and you have no “Delta” exam option.
The Professional vSphere 6.7 Exam 2019 (2V0-21.19) which leads to VMware Certified Professional – Data Center Virtualization 2019 (VCP-DCV 2019) certification is:
- A 70-item exam
- Passing score of 300 using a scaled scoring method.
- Candidates are given 115 minutes to complete the exam
VCP6.7-DCV Objective 4.8 – Configure an SSO domain
vCenter SSO allows vSphere components to communicate with each other through a secure token mechanism. vCenter SSO uses:
- Security Token Service (STS)
- SSL for secure traffic
- Authentication of users through Microsoft AD or OpenLDAP
- Authentication of solution through certificates
Check vSphere Platform Services Controler Administration PDF for further explanation on how SSO and handshakes works.
Each Platform Services Controller (PSC) is associated with a vCenter Single Sign-On domain. The domain name defaults to vsphere.local, but you can change it during the installation of the first Platform Services Controller.
The domain determines the local authentication space. You can split a domain into multiple sites, and assign each Platform Services Controller and vCenter Server instance to a site. Sites are logical constructs, but usually, correspond to geographic location.
You can organize Platform Services Controller domains into logical sites. A site in the VMware Directory Service is a logical container for grouping Platform Services Controller instances within a vCenter Single Sign-On domain.
- Embedded – All services that are bundled with the Platform Services Controller are deployed together with the vCenter Server services on the same virtual machine or physical server.
- External – Only the vCenter Server services are deployed on the virtual machine or physical server. You must register such a vCenter Server instance with a Platform Services controller instance that you previously deployed or installed.
Worth to note that:
With vSphere 6.7 Update 2, VMware is announcing the deprecation of external PSCs. With VMware vCenter Server enhanced link mode introduced in vSphere 6.7, infrastructure teams can link up to fifteen vCenter Server instances in the embedded PSC topology, eliminating the need for load balancers and simplifying architectures.
When deploying a new VCSA, you have a choice to deploy embedded or external PSC.
And then during the configuration phase, you have to specify SSO domain, or join an existing SSO domain. Also, you have to create or enter the administrator's password.
Once the VCSA is deployed you can access the SSO config through Administration > SSO
Once there you must join the PSC to Microsoft AD and then only to ad AD as an identity source.
Using the vSphere Client, log in to a vCenter Server associated with the Platform Services Controller (PSC) as a user with administrator privileges in the local vCenter Single Sign-On domain
Select Administration > Expand Single Sign-On and click Configuration > Click Active Directory Domain > Click Join AD, specify the domain, optional organizational unit, and user name and password, and click Join.
Other then Microsoft AD (starting with version WS 2003) you can configure identity source as OpenLDAP in vSphere client.
If you select the Active Directory (Integrated Windows Authentication) identity source type, you can use the local machine account as your SPN (Service Principal Name) or specify an SPN explicitly. You can use this option only if the vCenter Single Sign-On server is joined to an Active Directory domain. (that was our case).
vCenter SSO Components
STS (security token service) – This service issues security assertion markup language (SAML) tokens. Those tokens represents the identity of a user in one of the identity source types supported by vCenter SSO. The vCenter Single Sign-On service signs all tokens with a signing certificate, and stores the token signing certificate on disk. The certificate for the service itself is also stored on disk.
Administration Server – allows users with admin privileges to vCenter SSO to configure the SSO server and manage users and groups from the vSphere web client.
Do not name the domain name with your Microsoft Active Directory or OpenLDAP domain name.
VMware Directory Service (vmdir) – he VMware Directory service (vmdir) is associated with the domain you specify during installation and is included in each embedded deployment and on each Platform Services Controller. This service is a multi-tenanted, multi-mastered directory service that makes an LDAP directory available on port 389. The service still uses port 11711 for backward compatibility with vSphere 5.5 and earlier systems. It stores SSO information and also certificate information.
Identity Management Service – handles identity sources and STS authentication requests.
To configure vCenter Single Sign-On and manage vCenter Single Sign-On users and groups, the user [email protected] or a user in the vCenter Single Sign-On Administrators group must log in to the vSphere Client. After authentication, that user can access the vCenter Single Sign-On administration.
authenticated users can view all vCenter Server instances or other vSphere objects for which their role gives them privileges. No further authentication is required. After installation, the administrator of the vCenter Single Sign-On domain, [email protected] by default, has administrator access to both vCenter Single Sign-On and vCenter Server.
That user can then add identity sources, set the default identity source, and manage users and groups in the vCenter Single Sign-On domain.
There are some advantages when installing PSC on the same machine than having a separate PSC within your environment. The connection between vCenter Server and the Platform Services Controller is not over the network, and vCenter Server is not prone to outages caused by connectivity and name resolution issues between vCenter Server and the Platform Services Controller.
You'll configure SSO during the installation of the vCenter server and PSC (if installing embedded PSC). When you install a Platform Services Controller, you are prompted to create a vCenter Single Sign-On domain or join an existing domain.
The domain name is used by the VMware Directory Service (vmdir) for all Lightweight Directory Access Protocol (LDAP) internal structuring. With vSphere 6.0 and later, you can give your vSphere domain a unique name. To prevent authentication conflicts, use a name that is not used by OpenLDAP, Microsoft Active Directory, and other directory services.
Note: You cannot change the domain to which a Platform Services Controller or vCenter Server instance belongs.
After installation, the administrator of the vCenter Single Sign-On domain, [email protected] by default, has administrator access to both vCenter Single Sign-On and vCenter Server. That user can then add identity sources, set the default identity source, and manage users and groups in the vCenter Single Sign-On domain.
The SSO and identity sources can be found when you go to Menu > Administration > Single Sign-On > Configuration
Where to set a default SSO domain?
There you can add other identity sources. As you can see, I have added my Microsoft Active Directory (AD). However, you must previously add the Platform services controller to an active directory domain.
Groups in vCenter SSO Domain
The vCenter Single Sign-On domain has some predefined groups. If you add users to one of those groups, they will be able to perform the corresponding actions.
For all objects in the vCenter Server hierarchy, you can assign permissions by pairing a user and a role with the object. For example, you can select a resource pool and give a group of users read privileges to that resource pool object by giving them the corresponding role. For some services that are not managed by vCenter Server directly, membership in one of the vCenter Single Sign-On groups determines the privileges.
For example, a user who is a member of the Administrator group can manage vCenter Single Sign-On. A user who is a member of the CAAdmins group can manage the VMware Certificate Authority, and a user who is in the LicenseService.Administrators group can manage licenses.
Groups in the vsphere.local Domain
vCenter Single Sign-On allows vSphere components to communicate with each other through a secure token mechanism. vCenter Single Sign-On uses the following services:
- STS (Security Token Service).
- SSL for secure traffic.
- Authentication of human users through Active Directory or OpenLDAP.
- Authentication of solution users through certificates
Please have further look at Platform Services controller Administration PDF.
Do not rely only on our Study guide. Use the official documentation as well as your home lab for the study. Follow the progress of the VCP6.7-DCV Study Guide page for further updates.
More from ESX Virtualization
- VCP6.7-DCV Objective 5.2 – Monitor resources of VCSA in a vSphere environment
- What is VMware Platform Service Controller (PSC)?
- What is vCenter Embedded Linked Mode in vSphere 6.7?
- VMware vExpert 2019 – This is vExpert x11
- How To Reset ESXi Root Password via Microsoft AD
- How to Patch VMware vCenter Server Appliance (VCSA) 6.7 Offline