Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
Search the VMware Knowledge Base (KB)   View by Article ID

After making a change or restarting vCenter Single Sign-On server system, vCenter Server 5.1.x fails to start (2036170)


  • After restarting the vCenter Single Sign-On (SSO) server system, vCenter Server 5.1.x fails to start and you are unable to log in to the vSphere Web Client.
  • Changes were made to the vCenter Single Sign-On Server, such as Windows updates, domain name changes, vSphere 5.1 patches were applied, or modifications were done to the vCenter Server such as dependency changes.
  • In the vpxd.log file (located at: C:\ProgramData\VMware\VMware VirtualCenter\Logs), you see entries similar to:
    • 2012-09-24 [04584 info 'authvpxdMoSessionManager'] [SSO][SessionManagerMo::Init] Downloading STS Root certificates ...
      2012-09-24 [04584 verbose '[SSO][SsoCertificateManagerImpl]'] [InitConfigManagementService]
      2012-09-24 [04584 verbose '[SSO][SsoCertificateManagerImpl]'] [CreateAdminSsoServiceContent] Connecting to SSO Admin server ...
      2012-09-24 [04584 trivia 'vmomi.soapStub[0]'] Sending soap request to [<cs p:000000000cdeaf40,>]: retrieveServiceContent {}
      2012-09-24 [04584 trivia 'HttpConnectionPool-000001'] [IncConnectionCount] Number of connections to <cs p:00000000cdeaf40,> incremented to 1
      2012-09-24 [04584 trivia 'HttpConnectionPool-000001'] [PopPendingConnection] Found pending connection to <cs p:00000000cdeaf40,>
      2012-09-24 [04584 trivia 'vmomi.soapStub[0]'] Request started [class Vmacore::Http::UserAgentImpl::AsyncSendRequestHelper:000000000DF7FA68]
      2012-09-24 [04280 trivia 'Default'] SSLStreamImpl::DoClientHandshake: verifyPeerName (, peerCertDigest (), unverifiedAction (fail)
      2012-09-24 [06108 info 'Default'] Thread attached
      2012-09-24 [04280 trivia 'vmomi.soapStub[0]'] Request completed [class Vmacore::Http::UserAgentImpl::AsyncSendRequestHelper:000000000DF7FA68]
      2012-09-24 [04584 trivia 'HttpConnectionPool-000001'] [DecConnectionCount] Number of connections to <cs p:00000000cdeaf40,> decremented to 0
      2012-09-24 [04584 error 'vpxdvpxdMain'] [Vpxd::ServerApp::Init] Init failed: Unexpected exception
      --> Backtrace:
      --> backtrace[00] rip 000000018018977a
      --> backtrace[01] rip 0000000180100c98
      --> backtrace[02] rip 0000000180101fae
      --> backtrace[03] rip 000000018008aeab
      --> backtrace[04] rip 0000000000564971
      --> backtrace[05] rip 0000000000501298
      --> backtrace[06] rip 00000000005016c9
      --> backtrace[07] rip 0000000000470fae
      --> backtrace[08] rip 0000000140d7bfb8
      --> backtrace[09] rip 000000013fc70078
      --> backtrace[10] rip 000000013fc7016a
      --> backtrace[11] rip 000000013fc70279
      --> backtrace[12] rip 000000013fc70609
      --> backtrace[13] rip 000000013ffb2903
      --> backtrace[14] rip 000000014075e4b9
      --> backtrace[15] rip 000000014075835c
      --> backtrace[16] rip 0000000140978a3b
      --> backtrace[17] rip 000007feff4fa82d
      --> backtrace[18] rip 000000007750652d
      --> backtrace[19] rip 000000007788c521

      2012-09-24T22:18 [04584 trivia 'VpxProfiler'] Ctr: TotalTime = 13353 ms

    • 2013-03-27 [01892 warning '[SSO][SsoCertificateManagerImpl]'] [CreateAdminSsoServiceContent] Max connection attempts (10) reached. Giving up ...
      2013-03-27 [01892 info '[SSO][CreateSsoFacade]'] [CreateUserDirectory] Probably connection exception: No connection could be made because the target machine actively refused it.
      2013-03-27 [01892 error '[SSO][SsoFactory_CreateFacade]'] Unable to create SSO facade: No connection could be made because the target machine actively refused it. .
      2013-03-27 [01892 warning 'VpxProfiler'] Vpxd::ServerApp::Init [Vpx::Common::Sso::SsoFactory_CreateFacade(sslContext, ssoFacadeConstPtr)] took 110250 ms
      2013-03-27 [01892 error 'vpxdvpxdMain'] [Vpxd::ServerApp::Init] Init failed: Vpx::Common::Sso::SsoFactory_CreateFacade(sslContext, ssoFacadeConstPtr)

  • In the discover-is.log file, located at C:\ProgramFiles\VMware\Infrastructure\SSOServer\utils\logs\, you see entries similar to:

    2012-09-24 -,,,,Executing action: 'discover-is'
    2012-09-24 -,,,,Discovering identity sources
    2012-09-24 -,,,,ERROR: Bean (PrimaryCommandTarget) initialization failure System was modified beyond the allowed threshold, cannot decrypt.
    com.rsa.common.SystemException: Bean (PrimaryCommandTarget) initialization failure System was modified beyond the allowed threshold, cannot decrypt.
    Caused by: com.rsa.ims.components.ComponentFailureException: Unable to load bean named PrimaryCommandTarget

  • In the imsTrace.log file, located at C:\ProgramFiles\VMware\Infrastructure\SSOServer\utils\logs\, you see the error:

    System was modified beyond the allowed threshold, cannot decrypt.
Note: You can run this command to see if error messages are still present in the discover-is.log file:
C:\Program Files\VMware\Infrastructure\SSOServer\utils>ssocli.cmd configure-riat -a discover-is -u admin -p masterPassword


Restarting the machine where SSO is installed may result in changes to the system.
When updates are applied to the operating system, the machine name changes, or the machine is added or removed from an Active Directory domain, these changes prevent the SSO server from starting and, as a result, vCenter Server does not start.
In addition, if you clone or change the parameters of a virtual machine where SSO is installed (such as the amount of RAM, the number of CPUs, or the MAC address) SSO fails to start.


To resolve this issue: 
  1. Click Start, right-click Command Prompt, and click Run as administrator to open a command prompt as an administrator.
  2. Set the Java home path by running this command:

    set JAVA_HOME=C:\Program Files\VMware\Infrastructure\jre

    Note: The default location is C:\Program Files\VMware\Infrastructure\jre. Ensure that the command does not contain quotes around the path.

  3. In the system where SSO is installed, locate and navigate to the SSO server installation directory.The default location of this directory is C:\Program Files\VMware\Infrastructure\SSOServer\Utils.

  4.  Run this command:

    rsautil manage-secrets -a recover -m <masterPassword>

    • Fill in the master password for the environment in place of <masterPassword> in the preceding command.
    • This command recovers and updates the masterPassword (admin@system-domain)

  5. Restart the SSO service.
  6. Restart the VMware VirtualCenter Server service. 

Additional Information

To be alerted when this article is updated, click Subscribe to Document in the Actions box.

See Also

Update History

10/05/2012 - Added new step 2 in resolution. 11/15/2012 - Added additional symptom

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.


  • 49 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 49 Ratings