Caution: Custom “vsphere.local” domains

I’m not a fan of using a custom SSO Domain name. There’s little to no reason for changing from “vsphere.local”. The ability to customise the SSO Domain name was introduced in vSphere 6.0.

Unless you have an iron-clad reason to change it, don’t.

One reason against using a custom SSO Domain name is interoperability because vRealize Automation 6.x and 7.x requires and expects the SSO Domain to be “vsphere.local”.

Another reason I came across, only recently, is an issue with case-sensitivity in the VMware Identity Management Service (IDM).

If you have any uppercase character in your SSO Domain Name then you will hit an issue that will eventually result in login failure that will require a reboot of your PSC.

Apart from login failures, the issue will manifest itself in the form of tons and tons of connections to localhost:ldap eventually leading to port exhaustion.

For example, even in a clean environment without any activity I have over 10,000 localhost:ldap TIME_WAIT connections reported when my SSO Domain is called “UPPERCASE.local”

vcsa:~ # netstat | grep "localhost:ldap" | grep TIME_WAIT | wc -l

The bad part is, if you are hitting this, you’ll have to live with it for the time being. There’s no workaround apart from rebooting the PSC(s) in the SSO Domain. There’s no way to change the SSO Domain name. There’s no way to repoint vCenter(s) to a new SSO Domain in vSphere 6.0.

VMware Engineering are aware and will resolve this in a future release of vSphere 6.0


2 thoughts on “Caution: Custom “vsphere.local” domains”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: