If you are seeing errors during the installation of SSO and a warning about auto-discovery failing:
- Validate the configuration of the of the SSO server. For more information, see the Required Information for Installing or Upgrading vCenter Single Sign On, Inventory Service, and vCenter Server section of the vSphere Installation and Setup Guide.
Ensure the time difference between the vCenter SSO server and the Active Directory Domain controllers. If the time is off by more than 5 minutes, Kerboros authentication fails and, therefore, automatic discovery fails.
Verify that each domain controller has as properly configured PTR records in DNS and ensure that the contents of the PTR record are accurate. To check this from the Windows command line, you can run the nslookup command on both the name and IP:
For Name:
nslookup server.domain.com
Server: DNS Server
Address: Server IP address
Name: server.domain.com
Address: IP address
For IP address:
nslookup IP address
Server: DNS Server
Address: Server IP address
Name: server.domain.com
Address: IP addressIf SSL is enabled in the domain controllers, verify that the SSL certificate is still valid. By default, SSL is enabled on most Windows Server 2008 machines.
Note: To determine if SSL is enabled on the domain controller, run ldp.exe and connect to the domain controller on port 636. The output in the right column of the ldp.exe screen indicates if SSL is enabled on the domain controller.Remove and rejoin the vCenter SSO host to the domain. This exposes any connectivity or trust based errors if there are failures during the addition to the domain
After the installation completes, review the install.log and imsTrace.log files SSO_Server_Directory\utils\logs\ for errors in the auto discovery process.
Note: If there have been changes made, you can run this command to observe if there are still any error messages:
<SSO Server Directory>\utils\ssocli configure-riat -a discover-is -u admin