INSTALLING VMWARE VSPHERE SINGLE SIGN ON (SSO) IN MULTI-SITE MODE
VMware vSphere Single Sign On (SSO) can be installed in Multi-site mode to support local sign-on to vCenters that you want to be part of the same single sign on domain - for example, if you want to install Linked-Mode and have the advantage of a single pane of glass view, but can’t risk using a single SSO instance across the WAN. In other words, from VMware’s blog post:
Multisite deployments are where a local replica is maintained at remote sites of the primary vCenter Single Sign-On instance. vCenter Servers are reconfigured to use the local vCenter Single Sign-On service and reduce authentication requests across the WAN. Multisite deployments do drop the support of single pane of glass views unless Linked Mode is utilized and multisite deployments are actually required to maintain Linked Mode configurations where roles, permissions and licenses are replicated between linked vCenter servers. Linked mode will re-enable single pane of glass views across multisite instances.
Using two test vCenters, Definit-VC01 and Definit-VC02, I ran through the installation.
Installing the first vCenter SSO
This is important! Don’t install using the Simple Installation, even if you are just using a single server. The reason for this is that you can’t install SSO in Multi-Site Mode if you do. If you have already installed the vCenter Server (as I had) then you will need to uninstall all the components, preserving the database and re-install using this guide. Uninstall components in this order: Web Client, vCenter Server, Inventory Service, Singe Sign On. I also will use the same service account user for both installations.
Install Single Sign On in Multi-site mode and select to install as a new primary node.
Create an SSO administrator password and then either choose to install a new SQL Express instance, or use a supported one. I have a separate SQL server for this VC, so I will create an RSA database manually.
Modify the two scripts to reflect your installation path and passwords you want for the RSA DB.
Once you’ve edited and run the two scripts check that they exist and then proceed to configure the database connection.
Enter the FQDN and service details - I installed here with the Network Service account and later modified it to use a service account.
I accepted the default location, and port.
And finished the Wizard.
Stringing it all together - Linked Mode
In my previous post, Configuring vCenter Linked Mode, I ran through the process of installing Linked Mode using a single instance of SSO across a fast link, so I’m not going to cover the actual installation of Linked Mode here. The process is exactly the same and should be run using the same account that is running services on both vCenters.