VMware XING / LinkedIn / Amazon

Short tip: vCenter Server 6.5 UI installer: Failed to connect to SSO

UI-Installer SSO Error
UI-Installer SSO Error

When deploying vCenter Server 6.5 recently, I stumbled upon an issue that I was able to reproduce for the versions 6.5c and 6.5d. When deploying the appliance using the vCSA UI installer, the second stage always crashed with an error like this:

Unable to connect to vCenter Single Sign-On: Failed to connect to SSO; uri:https://st-vcsa03.stankowic.loc/sso-adminserver/sdk/vsphere.local

When analyzing the erroneous appliance I saw the following lines in the system protocol:

vmware-stsd[1762]: has address Request for http://localhost:7080/afd failed after 10 seconds. Status: /usr/bin/curl status. Response: 000. Host: localhost has address Request for http://localhost:7080/afd failed after 10 seconds. Status: /usr/bin/curl status. Response: 000. ...

It seems like the VMware Identity Management service, which is essential for SSO, could not be started – as a result, the installation crashes. I was able to reproduce this effect on multiple ESXi hosts and virtualized environments – so it was not an issue in my local environment. In the VMware board I stumbled upon an interesting post that matched this effect. It also named an workaround that fixed the problem for me.


The vCSA installation consists of two stages. While the first stage simply deploys the OVA template, the second stage automatically configures the services. If errors occur during the second stage, the appliance is erroneous and needs to be re-deployed – so creating a snapshot at this stage is basically a good idea.

The assistant of the second stage needs to be filled. Before starting the configuration process, the appliance command-line needs to be accessed – e.g. using the VM console or SSH (which needs to be enabled first using the VM console). Enter the following commands:

> shell
# echo "::1 localhost.localdom localhost" >> /etc/hosts

This extends the local host resolution by an IPv6 entry. It seems that some SSO components are communication internally over IPv6 – even if an IPv4-only configuration was made:

# netstat -tulpen|grep idm
tcp6 0 0 :::36922 :::* LISTEN 0 17387 1603/vmware-sts-idm
tcp6 0 0 :::* LISTEN 0 18267 1603/vmware-sts-idm

Without this entry, the localhost entry cannot be resolved into an IPv6 address forcing the installation to crash. Don’t remove this entry after the installation as SSO won’t start again – as a result, vCenter Server will not start either.

Sharing is caring

18 Comments Add New Comment

  1. Great tip, just ran into this on a new deployment. Really too bad small stuff like this hit simple things like an installation. It’s always dumbfounded me why something like selecting IPv4 only would still have background components communicate over IPv6. This is the small things that make long time great products frustrate users. I wonder if there is even a bug filed internally for this or if it is considered “normal operation” for the install to just fail on stage 2.

    1. Christian says:

      Hey Chris,
      thanks for the feedback! Glad to see, that it helped you.

      Haven’t tried this workaround for the latest vCSA build – but, keeping your second comment in mind, it seems, that it persists. Haven’t heard from my colleagues that they had the same issue at customer sites – so, I’m not sure whether there is a bug confirmed. Will check it out! 🙂

      Best wishes,

  2. Odd thing is on the latest deployment the entry was there:

    root@record [ ~ ]# cat /etc/hosts
    # Begin /etc/hosts (network card version)

    # End /etc/hosts (network card version)
    # Generated by Studio VAMI service. Do not modify manually. record localhost
    ::1 record localhost ipv6-localhost ipv6-loopback

  3. Yeah I still needed to do the manual add even though it was technically already there for it to complete so that feels buggy. Odd thing is the manual entry was gone after the deployment completed and this was on the latest version I downloaded yesterday.

  4. Steven says:

    Just facing the same problem on the second deployment(weird, the first deployment worked with no issue)
    trying the workaround will see how’s go

  5. YUK says:

    FINAL the above tips can’t solve my case…

    My Environment DNS is point to domain controller that is MS Windows 2003 SBS server and it does not support IPv6, so i think my problem is cause by my Win2003 SBS Server, i tried turn off all IPv6 for all computer, firewall and VMs but still got same problem on vCenter instal…

    Final i install Windows 2012 R2 and become a Domain Controller with DNS server then all equipment DNS point to my Windows 2012 R2 and all IPv6 just let it on with DHCP, it works~~~~, i can install the vCenter Appliance….

    Remark :

    IPv6 just let it on and dynamic assign ip is ok, no need to static the IPs or create DHCP server for support IPv6, just like IPv4 if final no DHCP server all IPv4 will also using 169.xxx.xxx.xxx and all can communicate together.

    If you firewall support IPv6, i think just point all equipment DNS to firewall also can solve this problem, this is my third times for install vCenter and got this problem, the first time install all DNS is point to Windows 2008 R2 and the second times is all DNS point to pfsense firewall, just this time all DNS is point to Windows 2003 Server and this DNS not support IPv6 only.

  6. Anton says:

    Same as Steven, deployment to be used with SRM, one site installed fine, second failed with this error. Your workaround worked, although it is already in the hosts file. I used the latest 6.5U2c image (build 9451637).

  7. OTH says:

    Been struggling with deployment of a 2-node VSAN with VCSA 6.7u3 for about a week now. I have successfully deployed the same solution about six months ago, but had the same issues then. I totally forgot this one line that would fix the issues, got hung up on troubleshooting DNS (which is the main culpret in cases like this).

    Thanks for posting this!

  8. OTH says:

    Thanks for posting this!

    Been struggling for a whole week on a 2-node VSAN deployment. Failed every single time on Stage 2, could not connect to Appliance on :5480.

    This was the only thing that would fix it!

  9. Roman says:

    Hey Christian

    I was trying to deploy today the VCSA 6.7U3 several times having the same issue. After some searching, I just ended on your blog.

    Many thanks for your hint which solved my issue :-).

    1. Christian says:

      Hey sunil,
      sorry to hear this. Which exact version are you using? It might have been fixed in later releases of vCenter Server 6.5 or 7.0.

      Best wishes,

Leave a Reply

Your email address will not be published. Required fields are marked *