If the Single Sign On installer shows an error stating that autodiscovery has failed, perform the following steps to correct the problem.
Even if autodiscovery fails, you can add the same Active Directory domain through Single Sign On in the Web Client later.
If the Single Sign On installation fails completely, perform the following steps to correct the problem.
Regardless of the cause, the vCenter Server and Web Client installers might indicate the error
Could not contact Lookup Service. Please check VM_ssoreg.log....
Message | Cause and Solution |
java.net.ConnectException: Connection timed out: connect | Indicates that the provided IP address is incorrect, a firewall is blocking access to Single Sign On, or Single Sign On is overloaded. Ensure that the Single Sign On port (by default 7444) is not blocked by a firewall, and that the machine on which Single Sign On is installed has adequate free CPU, I/O. and RAM capacity. |
java.net.ConnectException: Connection refused: connect | Indicates that the provided IP address or FQDN is incorrect and that Single Sign On has not started or has started within the past minute. Verify that Single Sign On is working by checking the status of vCenter Single Sign On service (Windows) and vmware-sso daemon (Linux). Restart the service. If this does not correct the problem, see the Recovery section of the vSphere Troubleshooting Guide. |
Unexpected status code: 404. SSO Server failed during initialization | Restart Single Sign On. If this does not correct the problem, see the recovery section of the troubleshooting guide. |
The error shown in the UI begins with Could not connect to vCenter Single Sign-on. | You also see the return code SslHandshakeFailed. This is an extremely uncommon error. It indicates that the provided IP address or FQDN that resolves to the Single Sign On host was not the one used when installing Single Sign On. In %TEMP%\VM_ssoreg.log, locate the line containing hostname in certificate didn't match: <install-configured FQDN or IP> != or or <C> where A was the FQDN entered in when Single Sign On was installed, and B and C are system-generated allowable alternatives. Correct the configuration to use the FQDN on the right of the != sign in the log file. In most cases, use the FQDN specified during Single Sign On installation. If none of the alternatives are possible in your network configuration, recover your Single Sign On SSL configuration. |