vSphere 5.5 – SSO Multi-Site Deployment – Learning by Doing 8

Up to now all vSphere 5.1/5.5 installations I have done so far have been deployed with the Single Sign On service in basic mode, also now known as „for your first vCenter Server” option.

But I felt it’s time to familiarize with other deployment scenarios and this is what I want to share with this post. A scenario I was interested in was to get a single pane of glass for multiple vCenter servers. OK so let’s see what we need to do to get the desired result.

When installing SSO 5.5 you will be asked to choose from one of the deployment modes:

SSO2As I said I’ve only used the first option so far, but what about the other options? I would say it’s time for some short definitions to clarify what is what:

Basic Mode / Single Sign-On for your first vCenter Server

This mode should be used when installing the very first or an independent SSO instance.

High Availability Cluster / Multiple Single Sign-On instances in the same location

This mode basically was designed to support multiple SSO instances in the same site to provide high availability for the service. Both SSO instances share the same database & identity sources. It’s important to mention that if you want it to work properly you will have to do some additional configuration tasks: Configuring VMware vCenter Single Sign On for High Availability

Multi-Site / Multiple Single Sign-On instances in different locations 

This mode is designed to deploy multiple vCenter servers across multiple locations. Along with the vCenter server comes a local SSO instance or HA Cluster per site.

Ok know we (or at least I) know which options we have when deploying SSO and understand the major differences. It seems that the Multi-Site option is the one I was looking for. As I was digging deeper I found a bunch of requirements and dependencies which need to be met that the single pane of glass thing works out:

  • This mode is required when using Linked Mode
  • Linked Mode is required  to get all vCenter servers on a single pane of glass
  • The local SSO instances must belong to the same AD/LDAP domain as the first/main SSO
  • Also the local SSO instances must have a local domain controller available to enable fast logins
  • Last but not least, to be able to join a Linked Mode group the vCenter server needs to be licensed as a Standard edition. Foundation/Essentials editions do not support Linked Mode

This is how it should look from a logical perspective


All SSO instances belong to the same vSphere authentication domain and so settings like identity sources are identical across both sites. Each site is still authenticating users via the local SSO instance which at this point doesn’t provide failover capabilities between sites. If the SSO instance in Site 1 is down. users & the Linked Mode partner will lose access to the vCenter server in Site 1.

Now it’s lab time! Theory is good, but doing it yourself is even better.

My lab is currently running a vCenter server 5.5 with ALL components deployed on the same virtual machine. So of course the SSO service has been installed with the first option “for your first vCenter Server” and the vCenter server is a member of my domain which is also added as identity source. So a pretty straight forward setup.

To simulate a remote location I deployed an additional domain controller within the same domain to represent the local AD server. Then I deployed a new vCenter server which I joined to the same Domain using the local AD server. So far so good, then it was time to install all the vCenter server components. As usual I started with the SSO and selected the “Multiple Single Sign-On instances in different locations” and named it accordingly:

All other components like the Web Client, Inventory Service or the vCenter server itself need to connect to a SSO instance. I registered all of them with the local SSO instance:

vCenter1Once the installation was complete I logged into both vCenter servers via Web Client but all I saw was just a single vCenter per site:


Linked Mode! As mentioned earlier it’s required to use Linked Mode to get the single pane of glass.

After the setup completed both vCenter servers appeared in both web clients.LinkedModeCompleteThe final step was to assign proper permission to both vCenter servers and that was it.AddPermissionsI’m planning to follow up this post with some additional scenarios and a HA deployment.

Print Friendly, PDF & Email

Related Post

It's only fair to share...Tweet about this on TwitterShare on LinkedInEmail this to someone

Leave a comment

Your email address will not be published. Required fields are marked *

8 thoughts on “vSphere 5.5 – SSO Multi-Site Deployment – Learning by Doing

  • aditya

    Hey, I have a question . I am deploying vcenter in a linked mode across two different domain having 2way trust.
    I am confused about sdo deployment . Can I go ahead and deploy multisite sso across two domain.

    thanks in advance!!

  • laplanted24

    Good explanation, I have a question, I just upgraded from 5.1 to 5.5 I was wondering with the new SSO(auto replication..) in 5.5 with the server configuration you did first option and the third one on my second vCenter for multi-site.

    But I restart my primary vCenter(with all componants on) and I tried to login to my second vCenter using AD credential and is not working !!

    any configurations need to be add in the SSO config in Web Client ?

    • Patrick Post author


      Do you also have an local AD server which you added to your local SSO instance? (on the second vCenter).

      As I’ve never upgraded such a setup, maybe there went something wrong under the hood. Probably you should consult the VMware support?


  • lance

    we have 2 sites (site a & site b). each site is a cluster of 6 hosts. currently we only have one vcenter that manages both sites. it is a vm on site a. we want to add one more vcenter (vm in site b) so that in case the vcenter in site a goes down, we would still be able to maange the hosts in site b. which should i use?

    thanks in advance.