Install of vCenter / vSphere 5.1 Single Sign-On (SSO) service says it will detect a pre-installed SQL 2008 R2 Express install, but it has not been correctly detecting for us. Maybe it is expecting a named instance of “SQLEXPRESS” and we’re using express as a default instance named “MSSQLSERVER”. Because it is not auto-detecting, we will need to pre-load the database table-spaces using vmware-provided scripts.
Several vSphere components maintain separate databases. Each requiring different levels of permissions. Some of the most important:
- (RSA) Single Sign-On (SSO) needs its own database. Properly supports “least privilege” with “database owner” on the single database being sufficient for install and operation.
- Inventory service needs its own database. Needs more than database owner for install. This is not good for enforcing least privilege. Recommend isolating the vmware database server to contain only vmware-related databases (no other company or other application-related data). The easiest install is to use a sa-level account (system administrator fully privileged). This does not enforce least privilege.
- vSphere Server service needs its own database. Same as the Inventory service, it needs more privileges that a standard database owner. Easiest to use an sa-level account and the isolate all vmware databases on a server without access to any other company data.