Installing VMware vSphere Single Sign On (SSO) in Multi-site Mode

vmware logo VMware vSphere Single Sign On (SSO) can be installed in Multi-site mode to support local sign-on to vCenters that you want to be part of the same single sign on domain – for example, if you want to install Linked-Mode and have the advantage of a single pane of glass view, but can’t risk using a single SSO instance across the WAN. In other words, from VMware’s blog post:

Multisite deployments are  where a local replica is maintained at remote sites of the primary vCenter Single Sign-On instance. vCenter Servers are reconfigured to use the local vCenter Single Sign-On service and reduce authentication requests across the WAN. Multisite deployments do drop the support of single pane of glass views unless Linked Mode is utilized and multisite deployments are actually required to maintain Linked Mode configurations where roles, permissions and licenses are replicated between linked vCenter servers. Linked mode will re-enable single pane of glass views across multisite instances.


SSO Multi-site

Using two test vCenters, Definit-VC01 and Definit-VC02, I ran through the installation.

Installing the first vCenter SSO

This is important! Don’t install using the Simple Installation, even if you are just using a single server. The reason for this is that you can’t install SSO in Multi-Site Mode if you do. If you have already installed the vCenter Server (as I had) then you will need to uninstall all the components, preserving the database and re-install using this guide. Uninstall components in this order: Web Client, vCenter Server, Inventory Service, Singe Sign On. I also will use the same service account user for both installations.

Install Single Sign On in Multi-site mode and select to install as a new primary node.

vSphere 5.1a Installer vSphere SSO - Create Primary Node

Create an SSO administrator password and then either choose to install a new SQL Express instance, or use a supported one. I have a separate SQL server for this VC, so I will create an RSA database manually.

vSphere SSO - Installation vSphere SSO Database

Modify the two scripts to reflect your installation path and passwords you want for the RSA DB.

vSphere SSO Create DB Script vSphere SSO Create Users Script

Once you’ve edited and run the two scripts check that they exist and then proceed to configure the database connection.

vSphere SSO Database and Users  vSphere SSO Database Connection

Enter the FQDN and service details – I installed here with the Network Service account and later modified it to use a service account.

  vSphere SSO Service Account

I accepted the default location, and port.

vSphere SSO Install Path  vSphere SSO Port

And finished the Wizard.

Stringing it all together – Linked Mode

In my previous post, Configuring vCenter Linked Mode, I ran through the process of installing Linked Mode using a single instance of SSO across a fast link, so I’m not going to cover the actual installation of Linked Mode here. The process is exactly the same and should be run using the same account that is running services on both vCenters.

CC BY-SA 4.0
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.


  1. JB says

    Hi Sam
    I have multiple sites i setup Site A with SSO
    Can Site B be joined via multi-site and still allow local authentication if Site A goes down? When i attempted this the installer just froze and was unable to continue

    thanks alot for any input

    • says

      Hi JB,

      If site A was originally installed using the advanced SSO installation as the primary node in multi-site, then yes you can add a second site. But it sounds like it’s not; I had the same issue when I initially set up the multi-site. You will need to remove the existing installation at Site A and re-install it using the advanced settings (follow the article above ;)).

      If you have multi-site configured as above, then if Site A goes down Site B will still continue to authenticate from it’s local SSO – in fact it will always authenticate to the local SSO regardless.

      Hope that helps!


    • says

      Nice one – cheers for the info Leo! I do wonder if it isn’t less complicated to re-install though, re-registering services with the SSO isn’t exactly a walk in the park, I’ve had big issues in the past with this.

      • leo says

        I’will try anyway, I fear re-installing everything will mess-up with the certificates with what I had issues in the past as well 😉 I have also view connection server and security servers hooked on the vc.

        What kind of issues did you have withe the re-registration ?

          • says

            Awesome – well done! Thanks for the update, hopefully that’ll help some readers out. I ran into the vpxd.cfg issue before as well as having to manually remove SSO GUIDs from config files, repair installations etc. To be fair those issues were with the initial 5.1 GA version, rather than the latest updates.

            Thanks Leo

Leave a Reply