Short tip: vCenter Server 6.5 UI installer: Failed to connect to SSO

calendar May 28, 2017 · 2 min read · vcsa  ·
Share on: linkedin copy

UI-Installer SSO Error

When deploying vCenter Server 6.5 recently, I stumbled upon an issue that I was able to reproduce for the versions 6.5c and 6.5d. When deploying the appliance using the vCSA UI installer, the second stage always crashed with an error like this:

1Unable to connect to vCenter Single Sign-On: Failed to connect to SSO; uri:https://st-vcsa03.stankowic.loc/sso-adminserver/sdk/vsphere.local

When analyzing the erroneous appliance I saw the following lines in the system protocol:

1vmware-stsd[1762]: has address 127.0.0.1. Request for http://localhost:7080/afd failed after 10 seconds. Status: /usr/bin/curl status. Response: 000. Host: localhost has address 127.0.0.1. Request for http://localhost:7080/afd failed after 10 seconds. Status: /usr/bin/curl status. Response: 000. ...

It seems like the VMware Identity Management service, which is essential for SSO, could not be started - as a result, the installation crashes. I was able to reproduce this effect on multiple ESXi hosts and virtualized environments - so it was not an issue in my local environment. In the VMware board I stumbled upon an interesting post that matched this effect. It also named an workaround that fixed the problem for me.

Workaround

The vCSA installation consists of two stages. While the first stage simply deploys the OVA template, the second stage automatically configures the services. If errors occur during the second stage, the appliance is erroneous and needs to be re-deployed - so creating a snapshot at this stage is basically a good idea.

The assistant of the second stage needs to be filled. Before starting the configuration process, the appliance command-line needs to be accessed - e.g. using the VM console or SSH (which needs to be enabled first using the VM console). Enter the following commands:

1\> shell
2# echo "::1 localhost.localdom localhost" >> /etc/hosts

This extends the local host resolution by an IPv6 entry. It seems that some SSO components are communication internally over IPv6 - even if an IPv4-only configuration was made:

1# netstat -tulpen|grep idm
2tcp6 0 0 :::36922 :::* LISTEN 0 17387 1603/vmware-sts-idm
3tcp6 0 0 127.0.0.1:12721 :::* LISTEN 0 18267 1603/vmware-sts-idm

Without this entry, the localhost entry cannot be resolved into an IPv6 address forcing the installation to crash. Don't remove this entry after the installation as SSO won't start again - as a result, vCenter Server will not start either.

Translations: