Experts,
I recently upgraded one of my vCenter servers from 4 to 5.1, after spending a lot of time trying to understand and test the unholy combination of SSO with Inventory service and vCenter. Talk about making it more complex....
Anyway, the upgrade was fine. I installed SSO as the first node of a multilinked config as I want to use linked vCenter servers for my different DCs. One funny side effect was me being locked out of vCenter after the upgrade. After some digging around, we found out it was due to my universal AD group not being recognized properly in SSO - or rather it was not allowing me to login as I belong to an AD domain that is not the one where the server was installed. Funny enough, when my account from the other domain was added directly, I was able to reach my server. There is one universal group I'm part of that has admin rights - people in the domain that the server belong to are also part of this group and they can login just fine. People from other domains can only login if added directly or if a group from domain is added.
Talking to VMware support, I got the impression that this kind of configuration is not supported under SSO and we would have to revert to using normal groups from each domain to manage our environment or add the administrators direcly, as was done in my case.
Is that true? I couldn't find any documentation to support that, so now I don't know if I'll have to re-configure all my groups for admins or if I should keep on tinkering.
Any comments would be appreciated.