When using an AD domain service account (for example [email protected]) to register vSphere Replication to vCenter, it fails with generic error. However, when registering with default SSO administrator ([email protected] by default), it registers without issues.

Looking in /opt/vmware/hms/logs/hms-configtool.log on the replication appliance, you see messages as below indicating that the service account creates, but then cannot be found as an sso admin.

2024-10-29 17:59:56.144 DEBUG com.vmware.hms.config.helper.ServiceAccountHelper [main] (..config.helper.ServiceAccountHelper) [] | Creating service account com.vmware.vr-sa-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
2024-10-29 17:59:56.684 INFO  com.vmware.hms.config.helper.ServiceAccountHelper [main] (..config.helper.ServiceAccountHelper) [] | SA credentials are stored
2024-10-29 17:59:56.685 DEBUG com.vmware.hms.config.helper.ServiceAccountHelper [main] (..config.helper.ServiceAccountHelper) [] | Finding principal com.vmware.vr-sa-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in sso admin
2024-10-29 17:59:56.705 ERROR com.vmware.hms.config.helper.ServiceAccountHelper [main] (..config.helper.ServiceAccountHelper) [] | Service account com.vmware.vr-sa-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx not found

Looking at /var/log/vmware/sso/svcaccountmgmt.log on vCenter, the account is created with no errors.

2024-10-29T17:59:56.539Z INFO svcaccountmgmt[52:tomcat-http--4] [CorId=634212b0-79c1-4045-ac79-43b50c7a018b OpId=] [com.vmware.vcenter.svcaccountmgmt.impl.ServiceAccount] Creating Service Account : com.vmware.vr-sa-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
2024-10-29T17:59:56.680Z INFO svcaccountmgmt[88:tomcat-http--40] [CorId=83fad66a-c581-4aa1-bf03-708c0a329ce3 OpId=] [com.vmware.vcenter.svcaccountmgmt.impl.PasswordMgmt] Password Reset successful for accountUPN :com.vmware.vr-sa-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx@VSPHERE.LOCAL

vSphere Replication 8.x

vSphere Replication 9.x

Example names are random and may not match customers' config.

This is a limitation of the current vr-config logic using AD accounts, for example using the AD account [email protected]. When registering to vCenter, the replication appliance requests the service account be created, then searches for it under the SSO domain (by default vsphere.local). While vCenter has no issue creating the service account, VR will then search in the SSO domain vsphere.local the username provided, which exists in CustomerDomain.com. As that account will not exist under the vsphere.local domain, VR then returns an error stating it cannot find the service account.

This issue will be addressed in a future version of VMware Live Recovery to change the behavior of vr-config. For now, customers will need to use an account in their vCenter SSO domain such as [email protected] to register vSphere Replication.