Monday, September 07, 2009

Yup, vSphere4 has the VI3 bug (well it's probably categorised as a known issue)

I've just proven the case by creating a new domain account that has a horribly simple password. The Guided Consolidation install worked perfectly with a simple password on the domain account. Now to experiment and find which occurrence (the credentials have to be entered in two different locations - one for accessing the domain, and one for updating the local computer).

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003096 refers here, but only references VI3.4 and below - even thought the KB was last updated only a few weeks ago.

Actually judging by the article, both credentials (local machine use, and domain use) have to be simple. However I reckon... ...that just the domain "access user machines" account is all that's needed here, so trying that right now. Left the local machine upgrade to be a properly secure passworded account. Nope got that wrong, the local machine extension process needs a simple password too.

This does really stink though. Essentially what VMware want you to do is create domain credentials that will enable the service to connect to machines on your network with Domain Admin rights (or more properly speaking - local admin rights on the network computers being consolidated). And it's got a simple (well, not properly complex) password.

Will this stop me recommending VMware - of course not.
Does it annoy me? Yup.
Does it lower my respect for VMware's regard for security, yes - quite a bit. If it was an known issue in VI3, then it really should have been fixed in 4, or a clear reason not posted on the KB article.

Peter

PS if you experience this issue and then rollback the install as Guided Consolidator insists - it does NOT rollback the vCentre Collector Service install. When you come to install again, the ports 8081 (VMware vCentre Collector Service Port) and 8082 (VMware vCentre Collector Provider Service Port) are already registered, so it requests you to select 2 new ports. Recommendation - uninstall the Collector service and then all shall be well.

No comments: