As you probably know (or don’t) from vCenter version 5.1 Single Sign-On (SSO) has a password policy. This password policy is for the SSO component only, not for the external identities (like AD DS). For version 5.1 the maximum lifetime of a password is default 365 days. This means the password will expire in 365 days and the account will be locked. After installation we are used to either changing this to a setting appropriate for your organizations security policy (smaller or greater than the default) or to an non-expiring (0) value, and adding an additional user/group source to the SSO administrators for access to SSO (like setting permissions on your vSphere infrastructure objects). Preferred is using an domain user/group to add to your SSO administrators. Yes domain does also have a password policy, but you only have to worry about it at the domain level. Expired SSO admin, login to SSO, reset and you good to go using SSO admin again. When using a password policy for the SSO admin be sure to have a procedure in place to notice you on time that the password will expire and how to change this. It if often enough that the system is installed and this or saving the password somewhere is forgotten. It can also be an inconvenience that the vSphere Web Client (or an other task, alarm what ever) won’t remind you when the password is about to expire. Have some procedure in place.
When using a password policy be sure to set it a the correct level so your users won’t be post-it pasting it to their monitors.
Okay, but help me what is SSO again?
SSO is an authentication and security broker between a identity source (like local OS, LDAP or Active Directory) and accessing several vSphere solutions. Want to use vCenter you will be authenticating to SSO, want to use operations you will be authenticated to SSO and so on. Below is a model taken from the VMware.com site giving a graphical representation on SSO and it’s role.
As you see SSO is a critical component in the authentication/security within a vSphere infrastructure. Lose access to SSO, you will lose access and functionality (when configured to use the expired account) of a lot of components. It’s is a required component when installing a vSphere infrastructure and should be set-up at step one.
What do we need to know in vCenter SSO 5.5?
There is still a password policy for administrator@vSphere.local (okay that is also change from Admin@System-Domain) and is standard set to expire after 90 days. Login to the vSphere Web client with email@example.com (or other SSO administrator). Go to Administration – Single Sign-On – Configuration – policies to take a look for your self.
When trying to reset the maximum lifetime to 0 you will be presented with an nice non-descriptive error message “The error has no message.” Whaaaat?!?
Fortunately there is a KB article 2053196 in the VMware knowledge base for that.
In other words you can’t set it to unexpired. You can set a maximum value of 9999 as the maximum lifetime value. This will keep you going for some years….
Be sure to change the other policies accordant to your organizations security policy. Same goes for the lockout and token policy.
How do we add the additional users to the SSO admin group again?
Login to the vSphere Web client with firstname.lastname@example.org (or other SSO administrator). Go to Administration – Single Sign-On – Users / Groups. Select your group and click the add member button (the plus user). In the Add Principals select your identity domain and user or groups you wish to add.
Great to have that sorted again. Now off to add more roles to my vSphere 5.5 testlab.
– Happy SSO’in !