In high availability mode, two nodes work with the same database, data, and user stores to ensure that vCenter Single Sign-On is not a single point of failure.

You can upgrade vCenter Single Sign-On in a high availability installation without taking all vCenter Single Sign-On nodes offline at the same time. While the first Single Sign-On node is being upgraded, the load balancer will redirect all requests to the second node. After the first node is successfully upgraded, you can upgrade the second node.

vCenter Server can continue running while you upgrade vCenter Single Sign-On. Logged in users can continue accessing vCenter Server and related solutions that are connected to vCenter Single Sign-On during the upgrade. However, vCenter Server, the vSphere Web Client, and vCenter Inventory Service cannot be started while the first Single Sign-On node is offline.


When configured for high availability, vCenter Single Sign-On cannot cannot authenticate local OS Windows users. However, it can authenticate Active Domain users.

Review Prerequisites for the vCenter Server Upgrade.


Configuring vCenter Single Sign-On for high availability requires two machines. One machine acts as the primary node, and the other as the backup node. When configured for high availability, both nodes work with the same database, use the same data, and have the same user stores


Create or upgrade the first node in a vCenter Single Sign-On installation for high availability.


Create or upgrade an additional vCenter Single Sign-On node for an existing high availability vCenter Single Sign-On installation.


You can configure any SSL-aware load balancer (physical or virtual) to act as load balancing software with Single Sign-On, increasing availability.


Configure the load balancing software. Because Single Sign-On sends and receives sensitive information, configure the load balancing software for SSL.


When you configure Single Sign-On for high availability, update the Lookup Service records to ensure that the load balancer can connect to the Single Sign-On nodes.