vCenter Single Sign-On installation displays an error referring to the vCenter Server or the vSphere Web Client.

Problem

vCenter Server and Web Client installers show the error Could not contact Lookup Service. Please check VM_ssoreg.log....

This problem has several causes, including unsynchronized clocks on the host machines, firewall blocking, and services that must be started.

Procedure

  1. Verify that the clocks on the host machines running vCenter Single Sign-On, vCenter Server, and the Web Client are synchronized.
  2. View the specific log file found in the error message.

    In the message, system temporary folder refers to %TEMP%.

  3. Within the log file, search for the following messages.

    The log file contains output from all installation attempts. Locate the last message that shows Initializing registration provider...

    Message

    Cause and solution

    java.net.ConnectException: Connection timed out: connect

    The IP address is incorrect, a firewall is blocking access to vCenter Single Sign-On, or vCenter Single Sign-On is overloaded.

    Ensure that a firewall is not blocking the vCenter Single Sign-On port (by default 7444) and that the machine on which vCenter Single Sign-On is installed has adequate free CPU, I/O. and RAM capacity.

    java.net.ConnectException: Connection refused: connect

    IThe IP address or FQDN is incorrect and the vCenter Single Sign-On service has not started or has started within the past minute.

    Verify that vCenter Single Sign-On is working by checking the status of vCenter Single Sign-On service (Windows) and vmware-sso daemon (Linux).

    Restart the service. If this does not correct the problem, see the recovery section of the vSphere troubleshooting guide.

    Unexpected status code: 404. SSO Server failed during initialization

    Restart vCenter Single Sign-On. If this does not correct the problem, see the Recovery section of the vSphere Troubleshooting Guide.

    The error shown in the UI begins with Could not connect to vCenter Single Sign-on.

    You also see the return code SslHandshakeFailed. This is an uncommon error. It indicates that the provided IP address or FQDN that resolves to vCenter Single Sign-On host was not the one used when you installed vCenter Single Sign-On.

    In %TEMP%\VM_ssoreg.log, find the line that contains the following message.

    host name in certificate did not match: <install-configured FQDN or IP> != <A> or <B> or <C> where A was the FQDN you entered during the vCenter Single Sign-On installation, and B and C are system-generated allowable alternatives.

    Correct the configuration to use the FQDN on the right of the != sign in the log file. In most cases, use the FQDN that you specified during vCenter Single Sign-On installation.

    If none of the alternatives are possible in your network configuration, recover your vCenter Single Sign-On SSL configuration.