The vmware-stsd service fails to start due to multiple machine accounts with the same sAMAccountName
search cancel

The vmware-stsd service fails to start due to multiple machine accounts with the same sAMAccountName


Article ID: 326207


Updated On:


VMware vCenter Server


- After changing the Primary Network Identifier (PNID), the vmware-stsd service fails to start
 - The /var/log/vmware/sso/vmware-identity-sts.log has entries similar to the following (where is the hostname of the vCenter server):
2021-09-01T15:50:22.548Z ERROR sts[77:tomcat-http--30] [CorId=986489b6-5756-4461-9fff-59fdc3dfb77a] [com.vmware.identity.idm.server.IdentityManager] Failed to get attributes for principal [[email protected]] in tenant [vsphere.local]
2021-09-01T15:50:22.548Z ERROR sts[77:tomcat-http--30] [CorId=986489b6-5756-4461-9fff-59fdc3dfb77a] [com.vmware.identity.idm.server.ServerUtils] Exception 'java.lang.IllegalStateException:
Internal error : duplicate entries were found'
java.lang.IllegalStateException: Internal error : duplicate entries were found


VMware vCenter Server 7.0.x


This is caused by the original machine account entry in VMware Directory not being removed during a PNID change, and more than one machine account has the same value for the sAMAccountName attribute.


Remove the machine account with the old DN value from ou=Domain Controllers,dc=vsphere,dc=local, and also check to see if there are still entries for the old name under cn=Servers,cn=[Site Name],cn=Sites,cn=Configuration,dc=vsphere,dc=local

Using jXplorer

Refer to (Steps 1-2 to configure the connection) to connect to the vCenter server with jXplorer. Expand the Domain Controllers OU and verify if there is an entry for the old PNID of the vCenter. Alternatively, you can select each entry, then select the Table Editor tab in the main window to see the entry's attributes. If there are two entries with the same sAMAccountName value, this will cause the vmware-stsd service to fail to start.

To remove the old entry, select it, right-click, and choose Delete.

There may also be entries under Sites > [Site Name] > Servers referring to the old vCenter PNID, which can also be deleted (the Replication Agreements and any ldapuri:// child entries will need to be removed first).

Using the Command Line

You can get a list of the machine account entries with the following commands:
# SSO_DOMAIN_DN="dc=$(/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost | sed -e 's/\./,dc=/g')"; ldapsearch -LLL -h localhost -b "ou=Domain Controllers,$SSO_DOMAIN_DN" -D "cn=administrator,cn=users,$SSO_DOMAIN_DN" sAMAccountName -W

Enter LDAP Password:
dn: ou=Domain Controllers,dc=vsphere,dc=local

dn: cn=,ou=Domain Controllers,dc=vsphere,dc=local

dn:,ou=Domain Controllers,dc=vsphere,dc=local

Here we see there are two accounts with the same sAMAccountName. Assuming the current PNID is, we can remove the other entry with:
# ldapdelete -h localhost -D "cn=administrator,cn=users,$SSO_DOMAIN_DN" -W "cn=,ou=Domain Controllers,dc=vsphere,dc=local"

Additional Information

As with any operation that modifies the VMware Directory instance, offline snapshots of all vCenters in the SSO domain are required.