vSphere 5.1 SSO issues

vSphere 5.1 SSO issues

November 13, 2012 1 By Eric Shanks

Over the past few weeks, I’ve been hearing a lot of customers having issues logging into vCenter after upgrading to vSphere 5.1.  I upgraded the lab and had some issues as well, but was able to fix the issues and wanted to share what I’ve learned.  As you may know version 5.1 of vSphere requires the SSO service to be installed before vCenter can be upgraded.  SSO is required for this version and cannot be skipped.

After my upgrade, I was unable to log into the vSphere client using my Active Directory credentials and received an error message that stated: “You do not have permission to login to the server”.  If I went to the new vSphere web client at https://vcentername:9443/vsphere-client I wasn’t able to login either.

To fix this issue I logged into the vSphere web client again, but this time used the user: admin@system-domain.  No, this is not a variable like admin@system-vmware.com or something.  I then specified the SSO password that I entered during the installation of SSO for 5.1.

Once you’re logged in, you can go to SignOn and Discovery –> Configuration.

You’ll need to add your identity source to the list.

Once you can see your Active Directory source listed, you can then add your groups that are allowed to login from AD.

At this point you should be able to select the SSO Users and Groups and then add the accounts that should be allowed to login to the clients.

As for why the issue happened to me in the first place, I’m not quite sure.  Chris Wahl has a post about upgrading that explains that it’s very important for your PTR records to be setup correctly for your domain and the VMware best practices guide mentions this as well as time sync with the domain.  In my case, neither of these seemed to be my issue.  There may be another common cause for this that is affecting users, but I’m not aware of what it is.  Hopefully this post explains how to work around the issue if it is affecting you.  If you have more information about these SSO issues and how you fixed them, please post info in the comments.