Unable to register vCenter SSO
search cancel

Unable to register vCenter SSO

book

Article ID: 369288

calendar_today

Updated On: 05-05-2025

Products

VMware HCX

Issue/Introduction

  • On the HCX admin page 9443, under Configuration -> SSO, the SSO registration failed with the following error:
    "Lookup service is not reachable at https://<FQDN-or-ip>. Please enter a valid SSO url - https://<domain|ip>"



  • vCenter registration is unaffected on the HCX admin 9443 page.
  • The following error is logged in the HCX Manager at /common/logs/appliance-management/appliance-management.log : "Cannot load STS signer certificate." 
    <timestamps> UTC [https-jsse-nio-9443-exec-7, , ] ERROR c.v.h.a.c.LookupServiceConfigValidator- Cannot load STS signer certificate from https://<FQDN-or-ip>:7444/sso-adminserver/sdk/vsphere.local
<timestamps> UTC [https-jsse-nio-9443-exec-7, , ] WARN  c.v.h.a.c.LookupServiceConfigValidator- Cannot access lookup service at https://<FQDN-or-ip>:443/lookupservice/sdk
java.lang.Exception: Cannot load STS signer certificate from https://<FQDN-or-ip>:7444/sso-adminserver/sdk/vsphere.local

  • Accessing the HCX plugin from vCenter  error in vSphere Client:

    Http failure response for https://<FQDN-or-IP>/plugins/com.vmware.hcx.plugin~4.#.#.#####~-####/#.#.#.#-443/vsphere-client/ui/hcx/hcx-ui/rest/hybridity/api/sessions: 401 OK

Environment

HCX
vCenter Server

Cause

This issue is related to vCenter (STS).  It typically occurs due to an SSL trust mismatch on the vCenter side.

Resolution

  • Please use the lsdoctor script, available at Using 'lsdoctor' Tool

    Ensure you take backups and snapshots of vCenter before running the lsdoctor tool.
    For more information on vCenter snapshots, visit VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice

    • python lsdoctor.py -l   >>  to check for SSL trust mismatch and stale configurations in vCenter upgraded from 5.x.
    • python lsdoctor.py -t   >>  to fix SSL trust issues

      Note: If you find stale legacy endpoints after running the command python lsdoctor.py -l , then you need to run python lsdoctor.py -s to clean up any stale configurations left over from a vCenter system upgraded from 5.x

     

  • Register SSO again with HCX via Admin 9443 page.

    NOTE: If you believe you are experiencing this issue and the steps outlined above did not resolve it, please open a support case with Broadcom Support and refer to this KB article.
    For more information, see Creating and managing Broadcom support cases.

Additional Information

Please get in touch with the vCenter Support Team for any queries or issues on the lsdoctor tool.

Useful links:

Powered by Wolken Software