During a brownfield conversion or workload domain deployment in VCF 9.1.0, the SDDC Manager lifecycle orchestration fails during initial system configuration tasks.

Symptoms include the following error messages within the SDDC Manager user interface or task execution logs:
The SDDC lifecycle task 'Configure service' (<id>) failed. An unexpected error occurred in step configure_sddc_lcm_task_ref. Reference Code: DEC33255. Please contact support with this reference code. Detail: null Reference Token: J77QV7

The SDDC lifecycle task 'Configure service' (<id>) failed. An unexpected error occurred in step configure_sddc_lcm_task_ref. Reference Code: 13295B3B. Please contact support with this reference code. Detail: Unexpected server error has occurred. Reference Token: LAJ0L7

Similar errors in the VCF Installer logs at /var/log/vmware/vcf/domainmanager/domainmanager.log: 

SDDC Manager service account creation call response status is not successful.
2026-05-21T16:25:15.672+0000 ERROR [vcf_dm,6a0f31e0a80a818f84309d91725edd5f,b6a0] [c.v.v.v.s.fleetlcm.FleetLcmService,dm-exec-
3436]  Could not create SDDC Manager service account.
Caused by: org.springframework.web.client.HttpClientErrorException$BadRequest: 400  on POST request for "<sddcFQDN>/v1/users": "{"errorCode":"PERMISSION_ALREADY_EXISTS","arguments":[],"message":"One or more User(s) or Group(s) with the selected Role already exist","referenceToken":"VKHCH4"}"

• VMware Cloud Foundation 9.1.0

• vCenter Server 8.0 / 9.0 (Brownfield deployment)

During brownfield onboarding or validation workflows, the lifecycle management component expects the administrator user to belong strictly to the native, default Single Sign-On (SSO) domain (e.g., vsphere.local).

To resolve this issue, update the SDDC deployment specification to reference a valid account belonging to the native default SSO domain, then patch the deployment task.

1. SSH into the VCF Installer as the vcf user then su to root: 

2. Generate a local API access token by executing the following command (

   accessToken=$(curl -H 'Content-Type:application/json' https://localhost/v1/tokens -d '{"username":"admin@local","password":"<ADMIN-PASSWORD>"}' -k | jq -r '.accessToken')
   

3. Retrieve the target SDDC identification string. If multiple deployment attempts exist, look for the most recent entry:

   curl -k --location --request GET 'https://localhost/v1/sddcs' -H "Content-type:application/json" --header 'Authorization: Bearer '$accessToken | json_pp
   

4. Export the specific SDDC configuration specification schema into a local JSON payload template file.

   curl -k --location --request GET 'https://localhost/v1/sddcs/<SDDC-ID>/spec' -H "Content-type:application/json" --header 'Authorization: Bearer '$accessToken | json_pp > input.json
   

5. Open the input.json configuration file in a text editor.

6. Locate the adminUserSsoUsername and adminUserSsoPassword parameters.

7. Modify the values to use an administrative credential native to the default vCenter Server SSO domain (e.g., [email protected]). Save and close the file.

8. Commit the corrected deployment payload configuration back to the API and resume the lifecycle orchestration task:

   curl -k --location --request PATCH 'https://localhost/v1/sddcs/<SDDC-ID>' -H "Content-type:application/json" --header 'Authorization: Bearer '$accessToken -d @input.json | json_pp