I just updated my notes on upgrading the VMware vCenter Server Appliance from 5.1 to 5.5. I added a couple of things that have become issues:
Remove all non-standard users from SSO before the upgrade. If you added users to the 5.1 Single Sign-On system directly those users will be copied to the 5.5 vCSA as members of SYSTEM-DOMAIN. Unfortunately they will then become trapped, undeleteable & unchangeable, as VMware didn’t think to make the SYSTEM-DOMAIN an editable domain. You can see them, and you can still log in, but you cannot remove them or change their passwords. Your only recourse is to remove the permissions for that user from vCenter, which still means they can log in, but won’t have access to anything. There are bugs open on this, but like all bugs filed with VMware don’t expect a resolution soon.
Test Active Directory connectivity before the upgrade. vSphere 5.5 changes SSO, generally for the better, but it also means that things that worked under 5.1 may not anymore. I have had some issues with AD configurations that worked previously and no longer do. It also appears that vSphere 5.5 cares more about certain AD attributes than in previous versions. For example, a user that was incorrectly set in AD as part of the wrong domain, [email protected] rather than [email protected], was able to log in but then got Inventory Service permission errors. Under 5.1 it worked correctly. Another oddity I noted was if SSO’s search path cannot see the Domain Users group you cannot log in, and see an error about Group SID in the web client (and the SID it shows is that of Domain Users). Doesn’t seem to matter if you are or aren’t actually using Domain Users in your permission model. It’s easy enough to deploy a vCSA to test AD with, make sure you do it ahead of the upgrade to avoid issues.
Testing is a key part of upgrades, but once in a while we find out that our testing methods are incomplete. In this case I found out when I went to reset the password of what was a local account in SSO on one of the vCSAs. Likewise, I also realized that my test plan didn’t include actually testing AD authentication at all, so when I upgraded a couple of my environments to 5.5 I discovered a few issues — both mine and VMware QA — the hard way.
I ran into the non-standard users issue during my first upgrade attempt.
The big issue occurs when the username and email matches AD or LDAP users, because SSO gets confused and then does not assign the proper permissions.
As you mentioned, remove those users before upgrading. The only non-standard user should be admin.