This article provides steps to troubleshoot issues while configuring vCenter Single Sign On on the vCenter Server Appliance. It helps you to eliminate common causes for the problem by verifying the scope of the problem as well as configuration and database related problems that could cause an issue.

• Cannot configure the vCenter Server Appliance.
• Configuring the vCenter Server Appliance fails.
• You see one of these errors:
• • An unexpected error has occurred during the database operation. Please double check the database configuration.
  • Invalid database user or administrator name or password.
  • Failed to authenticate the SSO administrator user
  • The user or group supplied for default vCenter administrator does not exist
  • Possible duplicate registration of a service with SSO detected.
  • Failed to connect to VMware lookup service https://servername:7444/lookupservice/sdk - SSL certificate verification failed
  • Failed to communicate with the vCenter Single Sign On Server http://servername:7444/ims/STSService

1. If you encounter errors while configuring an external database, perform these steps:
    
   1. Validate the configuration of the database server being used for SSO. For more information, see the Required Information for Installing or Upgrading vCenter Single Sign On, Inventory Service, and vCenter Server section of the vSphere Installation and Setup Guide.
   2. Validate the database connectivity, including username, password, and server details used to connect to the SSO database server. This can be done by resetting the password (per the appropriate database vendor steps) to a known value and then attempting the configuration again. To reconfigure and test the database connection, see Configuring vCenter Single Sign On connectivity with the vCenter Server Appliance (2033829).
   3. Log in to the vCenter Server Appliance and review the /var/log/vmware/sso/utils/sso_servicecfg.log file for more information about the error.
       
2. If you encounter errors while configuring an external SSO server, perform these steps:
    
   1. If you have had this server attached to the SSO server before with the same IP, validate that the application users that were created do not still exist. Users are not automatically deleted.
      
      To remove the previous users:
       
      1. Login to the vSphere Web Client as an SSO administrator and navigate to Administration > SSO Users and Groups
      2. Click Application Users.
      3. Check for user names and descriptions that are associated with the appliance you are trying to attach. These users have the IP of the appliance in the name or description.
          
   2. Validate the user that is being used in the Account with right to register vCenter with the SSO server field. This user must be a user with SSO administrative privileges. By default, this is either admin@system-domain (with the password selected during installation of SSO) if the server is running on a windows system or root if you are configuring to point to another vCenter server Appliance system. If one account is failing, try to configure another user and attempt to register with this user. For more information, see Configuring vCenter Single Sign On connectivity with the vCenter Server Appliance (2033829).
   3. If you are using a group, such as the built in administrators group in Windows, try using a user instead of the group to the configuration and then try to log in with this user. If this works, check the /var/log/vmware/sso/utils/sso_servicecfg.log for more troubleshooting information.
   4. Try qualifying the user name. The account with permissions to register vCenter Server with the SSO server field only takes email style qualifications, for example, user@domainor root@localos. This ensures that an incorrect account is not used and allows for the sign in to proceed with the proper qualification. For more information on the default users and qualifications, see Understanding and troubleshooting vCenter Single Sign On users, groups and login qualifications (2033875).
   5. Validate whether the account is locked or disabled by logging in as an SSO admin user. By default this is admin@system-domain or root. This user account can unlock/enable the user. The default timeout for an account to be unlocked automatically is 15 minutes. For more information on validating the account status or to change the SSO password or lockout policies, see Configuring and troubleshooting vCenter Single Sign On password and lockout policies for accounts (2033823).
   6. Log in to the vCenter Server Appliance and check the /var/log/vmware/sso/utils/sso_servicecfg.log file for more troubleshooting information.
       
3. If you encounter an issue while enabling active directory authentication, perform these steps:
    
   1. Check if the Active Directory instance was automatically discovered by SSO.
      
      To check if the Active Directory instance was automatically discovered by SSO:
       
      1. Log in to the vSphere Web Client as an SSO administrator.
      2. Navigate to Administration > Sign-on and Discovery > Configuration.
      3. Click the Identity Sources tab and review the list for the instance in question.
          
   2. If it the Active Directory instance is not automatically discovered:
       
      1. Check the time difference between the vCenter Server Appliance and the Active Directory Domain controllers. If the time is off by more than 5 minutes, Kerboros authentication fails and, therefore, automatic discovery fails
      2. Verify that each domain conntroller has as properly configured PTR records in DNS and ensure that the contents of the PTR record are accurate. To check this from the vCenter Server Appliance shell, use the DIG command:
         
         dig my-controller.my-ad.com
         ...
         ;; ANSWER SECTION:
         my-controller.my-ad.com (...) IN A <controller IP address>
         ...
         # dig -x <controller IP address>
         ...
         ;; ANSWER SECTION:
         <IP-in-reverse>.in-addr.arpa. (...) IN PTR
         my-controller.my-ad.com
         ...
          
      3. If the domain controllers have SSL enabled, verify that the SSL certificate is still valid.
      4. R estart the vCenter Server Appliance and try the configuration again.
      5. If you are using an External vCenter SSO Source, try restarting the source and try the configuration again.
      6. Log in to the vCenter Server Appliance and review the /var/log/vmware/vpx/sso_cfg.log file for more troubleshooting information.
          
   3. Try adding the identity source manually to see if you are able to add a source that is not automatically discovered. For more information, see the Add a vCenter Single Sign On Identity Source section of the vSphere Security Guide.
      
      Note: You cannot use the Use windows session authentication feature if you add the identity source manually.
       
   4. Try qualifying the user name. The account with permissions to register vCenter Server with the SSO server field only takes email style qualifications, for example, user@domainor root@localos. This ensures that an incorrect account is not used and allows for the sign in to proceed with the proper qualification. For more information on the default users and qualifications, see Understanding and troubleshooting vCenter Single Sign On users, groups and login qualifications (2033875).
   5. Log in to the vCenter Server Appliance and review the /var/log/vmware/sso/utils/sso_servicecfg.log and the /var/log/vmware/vpx/sso_cfg.log files for more troubleshooting information.