vCenter Single Sign On 5.1 troubleshooting hints

vCenter Single Sign On (SSO) is a critical additional component in the vSphere Suite, introduced with vSphere 5.1.

SSO allows various vSphere Software components to communicate with each other through a secure token exchange machanism, instead of requiring each component to authenticate a user separately with a directory service like Active Directory (Source: vSphere 5.1 Documentation Center)

Troubleshooting SSO issues can be tricky – so maybe the following hints can help you.

Note: this information is only valid for vSphere 5.1 SSO!!!!

Important Log files:

On your windows server where SSO is installed:

Path: C:\Program Files\VMware\Infrastructure\SSOServer\logs

Log files:

• imsTrace.log
• imsSystem.log
• config.txt
• discover-is.log

On your vCenter Server:

Path: C:\ProgramData\VMware\VMware VirtualCenter\Logs

Log files:

• vpxd.log

Symptoms:

vCenter Single Sign On does not start or fails:

Source: KB 2034517

• Make sure that the SSO database was available when the SSO service was started – try to restart the SSO service manually
• Validate the network connection to the database server – try to ping the database server
• Validate that the database login and passwords have not expired or changed. You can check the current database login details on your windows server where SSO is installed using the following command:  C:\Program Files\VMware\Infrastructure\SSOServer\utils\ssocli manage-secrets -a listallkeys    Note: this command will prompt you for the master password!
•  Check the SSO logs for error messages (Log file paths/names are mentioned above)

“System was modified” error messages in the following logs/Login not possible:

Source: KB 2036170

vpxd.log:

Unable to create SSO facade: No connection could be made because the target machine actively refused it.

discover-is.log:

ERROR: Bean (PrimaryCommandTarget) initialization failure

System was modified beyond the allowed threshold, cannot decrypt.

imsTrace.log:

System was modified beyond the allowed threshold, cannot decrypt.

Cause: Changes happened to the virtual machine where SSO is installed, for example:

• updates of the operating system
• machine name changes
• machine removed or added from an Active Directory Domain
• machine was cloned
• changed amount of RAM or number of CPUs
• changed the MAC address

 Resolution:

• Check if the JAVA_HOME path is set correctly: JAVA_HOME=C:\Program Files\VMware\Infrastructure\jre
• Run the following command to recover and update the master password (admin@system-domain):

Path: C:\Program Files\VMware\Infrastructure\SSOServer\utils\

Command: rsautil manage-secrets -a recover -m <masterPassword>

• Restart the SSO service and the VMware Virtual Center Server Service

When you try to login to your vSphere Web Client 5.1 the login fails with one or more of these errors:

• User Account is locked:

• Unlock the account by using the SSO Administrator or the Active Directory administrator
• Wait till the account is unlocked – default timeout with vCenter SSO is 15 minutes
• If there is no admin available and/or you cannot wait try to reset the administrator password manually from commandline:

.) Login as an administrator to your vCenter SSO Server and run the following command:

Path: C:\Program Files\VMware\Infrastructure\SSOServer\utils\

Command: rsautil reset-admin-password     Note: the command will prompt for the master password

.) Then enter the name of the SSO adminstrator you want to reset (eg: admin)

.) Enter the new password for the user and confirm it a second time

• Failed to communicate with the vCenter SSO Server:

• validate if the SSO Server is available using the ping command
• check if the vCenter SSO Service is running. If necessary restart the service