6.7
Table Of Contents
- Platform Services Controller Administration
- Contents
- About Platform Services Controller Administration
- Getting Started with Platform Services Controller
- vCenter Server and Platform Services Controller Deployment Types
- Deployment Topologies with External Platform Services Controller Instances and High Availability
- Understanding vSphere Domains, Domain Names, and Sites
- Platform Services Controller Capabilities
- Managing Platform Services Controller Services
- Managing the Platform Services Controller Appliance
- vSphere Authentication with vCenter Single Sign-On
- Understanding vCenter Single Sign-On
- Configuring vCenter Single Sign-On Identity Sources
- Understanding vCenter Server Two-Factor Authentication
- Using vCenter Single Sign-On as the Identity Provider for Another Service Provider
- Security Token Service STS
- Managing vCenter Single Sign-On Policies
- Managing vCenter Single Sign-On Users and Groups
- Add vCenter Single Sign-On Users
- Disable and Enable vCenter Single Sign-On Users
- Delete a vCenter Single Sign-On User
- Edit a vCenter Single Sign-On User
- Add a vCenter Single Sign-On Group
- Add Members to a vCenter Single Sign-On Group
- Remove Members from a vCenter Single Sign-On Group
- Delete vCenter Single Sign-On Solution Users
- Change Your vCenter Single Sign-On Password
- vCenter Single Sign-On Security Best Practices
- vSphere Security Certificates
- Certificate Requirements for Different Solution Paths
- Certificate Management Overview
- Managing Certificates with the vSphere Client
- Managing Certificates from the vSphere Web Client
- Managing Certificates with the vSphere Certificate Manager Utility
- Certificate Manager Options and the Workflows in This Document
- Regenerate a New VMCA Root Certificate and Replace All Certificates
- Make VMCA an Intermediate Certificate Authority (Certificate Manager)
- Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA)
- Replace VMCA Root Certificate with Custom Signing Certificate and Replace All Certificates
- Replace Machine SSL Certificate with VMCA Certificate (Intermediate CA)
- Replace Solution User Certificates with VMCA Certificates (Intermediate CA)
- Replace All Certificates with Custom Certificate (Certificate Manager)
- Revert Last Performed Operation by Republishing Old Certificates
- Reset All Certificates
- Manual Certificate Replacement
- Managing Services and Certificates with CLI Commands
- Troubleshooting Platform Services Controller
- Determining the Cause of a Lookup Service Error
- Unable to Log In Using Active Directory Domain Authentication
- vCenter Server Login Fails Because the User Account Is Locked
- VMware Directory Service Replication Can Take a Long Time
- Export a Platform Services Controller Support Bundle
- Platform Services Controller Service Logs Reference
3 Within the log file, search for the following messages.
The log file contains output from all installation attempts. Locate the last message that shows
Initializing registration provider...
Message Cause and solution
java.net.ConnectException:
Connection timed out: connect
The IP address is incorrect, a firewall is blocking access to vCenter Single Sign-
On, or vCenter Single Sign-On is overloaded.
Ensure that a firewall is not blocking the vCenter Single Sign-On port (by default
7444). Ensure also that the machine on which vCenter Single Sign-On is installed
has adequate free CPU, I/O, and RAM capacity.
java.net.ConnectException:
Connection refused: connect
The IP address or FQDN is incorrect and the vCenter Single Sign-On service has
not started or has started within the past minute.
Verify that vCenter Single Sign-On is working by checking the status of vCenter
Single Sign-On service (Windows) and vmware-sso daemon (Linux).
Restart the service. If this does not correct the problem, see the recovery section
of the vSphere troubleshooting guide.
Unexpected status code: 404. SSO
Server failed during
initialization
Restart vCenter Single Sign-On. If this does not correct the problem, see the
Recovery section of the vSphere Troubleshooting Guide.
The error shown in the UI begins with
Could not connect to vCenter
Single Sign-On
You also see the return code SslHandshakeFailed. This error indicates that the
provided IP address or FQDN that resolves to vCenter Single Sign-On host was
not the address used when you installed vCenter Single Sign-On.
In %TEMP%\VM_ssoreg.log, find the line that contains the following message.
host name in certificate did not match: <install-configured FQDN
or IP> != <A> or <B> or <C> where A was the FQDN you entered during the
vCenter Single Sign-On installation, and B and C are system-generated allowable
alternatives.
Correct the configuration to use the FQDN on the right of the != sign in the log
file. In most cases, use the FQDN that you specified during vCenter Single Sign-
On installation.
If none of the alternatives are possible in your network configuration, recover your
vCenter Single Sign-On SSL configuration.
Unable to Log In Using Active Directory Domain
Authentication
You log in to a vCenter Server component from the vSphere Web Client. You use your Active Directory
user name and password. Authentication fails.
Problem
You add an Active Directory identity source to vCenter Single Sign-On, but users cannot log in to
vCenter Server.
Platform Services Controller Administration
VMware, Inc. 170