vCenter Single Sign-On does not auto-discover trusted domains if domains are added manually
search cancel

vCenter Single Sign-On does not auto-discover trusted domains if domains are added manually


Article ID: 308439


Updated On:


VMware vCenter Server VMware vSphere ESXi


This article provides information on troubleshooting auto-discovery issues in vSphere 5.1. vSphere 5.5 with vCenter Single Sign-On 5.5 does not include the auto-discovery feature.

  • Trusted domains are not auto-discovered by vCenter Single Sign-On (SSO) when domains are manually added
  • Auto-discover is not adding trusted domains automatically
  • After installation, SSO does not automatically discover trusted domains


VMware vCenter Server 5.1.x
VMware vSphere ESXi 5.1



The auto-discovery option is used during vCenter Single Sign-On (SSO) installation on a machine that is joined to the domain. However, trusted domains may not be auto-discovered if domains are manually added after the SSO installation.

To troubleshoot auto-discovery issues:
  1. Run the ssocli utility (located at %ProgramFiles%\VMware\Infrastructure\SSOServer\utils\) from the command prompt to populate the discover-is.log file.
  2. Investigate the discover-is.log file (in verbose mode) to determine the root cause of the issue.
You can use this command to mimic auto-discovery after installation:

ssocli configure-riat --verbose -a discover-is -u admin -p password

  • The discover-is.log file is located at %ProgramFiles%\VMware\Infrastructure\SSOServer\utils\logs\.
  • You can also use this command to discover Identity sources in test mode.
  • Use the --simulate option to prevent changes from being made to existing identity sources.


Run this command at the command prompt:

C:\Program Files\VMware\Infrastructure\SSOServer\utils> ssocli configure-riat -a discover-is --simulate -u admin
Enter super administrator password: **********

You see output similar to:

Executing action: 'discover-is'

Discovering identity sources
Retrieving current identity sources and comparing with discovered
Simulation mode. Existing identity source will not be modified. The following
identity sources will be added if this utility is not running in simulation mode:

Successfully executed action: 'discover-is'

Note: If you add a domain as an identity source to SSO from the vSphere Web Client after installation, the trusted domains are not discovered. Auto-discover must be run again as it is not constantly running in the background looking for changes. Running auto-discover in test mode lists the identity sources that would be added and the ones that would be skipped because of connectivity problems. Running auto-discover in normal mode generates the same output, but also adds the newly discovered identity sources to the system.

In vCenter Server Appliance 5.1, a trusted domain is not added automatically when an identity source is manually configured. In this case, you must manually add the trusted domains as well, or run auto-discover as outlined above to launch the auto detect scripts.

Additional Information

For more information on trusted domains, see these Microsoft TechNet articles:
Note: The preceding links were correct as of June 7, 2013. If you find a link is broken, provide feedback and a VMware employee will update the link.

vCenter Single Sign-On installer reports the error: Error 29155.Identity source discovery error
ドメインを手動で追加した場合に vCenter Single Sign-On が信頼できるドメインを自動検出しない