VMware Cloud Community
pgn674
Enthusiast
Enthusiast
Jump to solution

Error When Installing SSO 5.5 On New Machine

I have been trying to install VMware vCenter Single Sign-On 5.5.0 from VMware-VIMSetup-all-5.5.0-1312299.iso, and like some others I am having trouble. I am installing on a brand new Windows Server Datacenter 2008 R2 SP1 64-bit VM.

The first time I ran the installer, I got to the vCenter Single Sign-On Prerequisites screen, and realized that my network settings on the new machine were a little off. So I canceled the installer, fixed my networking, started the installer again, and this time I got the message "DNS resolution is successful."

So, I continued on my way. I select "vCenter Single Sign-On for your first vCenter Server", it starts installing, the status gets to "Configuring SSO Components...", and then it shows "Rolling back action:", then "vCenter Single Sign-On Setup Wizard ended prematurely because of an error." All subsequent install attempts have resulted in the same thing.

I've seen some proposed solutions elsewhere, and I have tried:

  • Rename C:\ProgramData\VMware\CIS to CIS.old
  • Run (VMware-VIMSetup-all-5.5.0-1312299.iso)\Single Sign-On\prerequisites\VMware-python.msi (Tried in right click menu: Repair, and also Uninstall then Install)
  • In "HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Infrastructure", there is no SSOServer

I have attached vim-sso-msi.log and vminst.log from %TEMP%. I also found a vminst.log from one directory above %TEMP%; I've attached that too as vminst-Temp.log in case it's useful.

Looking at the logs, in vim-sso-msi.log this is near the end:

MSI (c) (28:DC) [14:08:39:385]: Note: 1: 1708

MSI (c) (28:DC) [14:08:39:385]: Product: vCenter Single Sign-On -- Installation failed.

MSI (c) (28:DC) [14:08:39:385]: Windows Installer installed the product. Product Name: vCenter Single Sign-On. Product Version: 5.5.0.297. Product Language: 1033. Manufacturer: VMware, Inc.. Installation success or error status: 1603.

This is towards the middle:

MSI (s) (38:A0) [14:07:41:006]: Executing op: ActionStart(Name=BootstrapAll,,)

Action 14:07:41: BootstrapAll.

MSI (s) (38:A0) [14:07:41:022]: Executing op: CustomActionSchedule(Action=BootstrapAll,ActionType=11265,Source=BinaryData,Target=**********,CustomActionData=**********)

MSI (s) (38:88) [14:07:41:037]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI2A01.tmp, Entrypoint: VmSetupExecuteBootstrap

MSI (s) (38:5C) [14:07:41:037]: Generating random cookie.

MSI (s) (38:5C) [14:07:41:053]: Created Custom Action Server with PID 1724 (0x6BC).

MSI (s) (38:FC) [14:07:41:178]: Running as a service.

MSI (s) (38:FC) [14:07:41:193]: Hello, I'm your 64bit Elevated custom action server.

Action 14:07:41: PostInstallScripts. Configuring SSO Components...

PostInstallScripts: PostInstallScripts

PostInstallScripts: PostInstallScripts

CustomAction BootstrapAll returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

Action ended 14:08:00: InstallFinalize. Return value 3.

In vminst-Temp.log, I see this, but I'm not sure whether it's relevant:

VMware Single Sign-On-build-1302472: 09/25/13 14:08:00 LDAP Utils : VmSetupMakeLdapsConnection

VMware Single Sign-On-build-1302472: 09/25/13 14:08:00 Attempting ldap_sslinit...

VMware Single Sign-On-build-1302472: 09/25/13 14:08:00 Attempting ldap_connect...

VMware Single Sign-On-build-1302472: 09/25/13 14:08:00 Attempting ldap_bind_s...

VMware Single Sign-On-build-1302472: 09/25/13 14:08:00 Unable to make LDAPS connection. Error :1326

VMware Single Sign-On-build-1302472: 09/25/13 14:08:00 VmSetupUpdateVmdirCert error: 1603

VMware Single Sign-On-build-1302472: 09/25/13 14:08:00 VmSetupVmdirCert error: 1603

%TEMP% is C:\Users\Administrator.MCI\AppData\Local\Temp\2

I got vminst-Temp.log from C:\Users\Administrator.MCI\AppData\Local\Temp

Does anybody have any ideas on what I can try, or any more information that would help?

Tags (4)
1 Solution

Accepted Solutions
pgn674
Enthusiast
Enthusiast
Jump to solution

So I think I just discovered the true reason it was failing. In the documentation above, they say that ;"'^\ are not valid characters in a password. But, they missed a character: The space. I was using a space character in my password.

I tried out the installer a bunch of times. When one of the above invalid characters is used, the installer continues anyway. And then throws a 1326 in that other log file I mentioned. Using a space does the same thing. And it's not like they aren't checking the password at all. If you don't meet the complexity requirements that's in their documentation, then you get this notice:

SSO_Password_Complexity.png

I don't know why they accept invalid characters in the installer. And I don't know why they missed listing the space character as an invalid character in their documentation. It is an ASCII character, after all (0x20).

I did try a couple other passwords long ago, but I think it was before I found this documentation, so I may have used one of the other invalid characters. Or maybe I used another invalid character that is undocumented. If space is not documented as an invalid character, then who knows how many other invalid characters there are?

And so, I say to all who believe they are having the same problem that I did:

First, make sure it's the same problem. Verify that you are getting an error code 1326 in the other vminst.log file, located one directory above %TEMP%. If you cannot find 1326, then you probably have a different problem.

Then, try other passwords. Don't use the documented invalid characters. And keep in mind that there may be other undocumented invalid characters.

The password does not need to be identical to the local Windows Administrator account's password. It just can't contain any undocumented invalid characters.

View solution in original post

0 Kudos
35 Replies
raog
Expert
Expert
Jump to solution

Another user posted a similar rollback on a fresh install issue.. is your DC a windows 2012  (with forest functional level as 2012)?

https://communities.vmware.com/message/2291985#2291985

Regards

Girish

To Virtualization and beyond! PS::If you felt the answer as helpful, please mark it as helpful/answered so that it helps other users as well! Blog:: www.virtualtipsntricks.com
0 Kudos
resurento
Contributor
Contributor
Jump to solution

I can confirm this same behavior and agree this is a different problem than widely talked KB 2060511.

Initially we had this problem and the error message was like described in 2060511. After "fixing" this problem, we found this one described here. The error message is different, but the behavior is the same i.e. the rollback takes place.

I did what the KB-doc suggested though,

Our system is Windows 2008 R2 Enterprise, SP1, 64-bit with 6GB RAM running vCenter Server 5.1.0 Build 1123961 so we're trying for an upgrade (which is different from the above).

Comments / ideas are most welcome ;>) Thanks,

Resu

0 Kudos
raog
Expert
Expert
Jump to solution

I would advice to raise this with vmware support..

Regards

Girish

To Virtualization and beyond! PS::If you felt the answer as helpful, please mark it as helpful/answered so that it helps other users as well! Blog:: www.virtualtipsntricks.com
0 Kudos
ilmara
Contributor
Contributor
Jump to solution

Hello,

I'm the other user having this issue. I haven't been able to debug it further due to more pressing concerns today, but while trying to install vcenter 5.1 (hoping to upgrade it later on to 5.5) I noticed a warning message is absent from the 5.5 install.

Is by any chance the administrator user you're trying to install with a local user? There is a warning regarding this in 5.1 suggesting that a domain user could help.

0 Kudos
pgn674
Enthusiast
Enthusiast
Jump to solution

raog, I have four Domain Controllers, two per site, in one forest. They are all Windows Server 2003. I see that the documentation says that "vCenter Server 5.5 removes support for Windows Server 2003 as a host operating system", but it also says it supports "Active Directory versions 2003 and later."


resurento, I never got the message described in 2060511, myself.


raog, I may end up going to VMware support, or I may just remove Windows from our domain and try that. We are a smaller shop, and can work with vCenter not authenticating against our domain.


ilmara, I have tried installing as the domain Administrator account, and as my own domain account (after adding it to the local Administrators group). Both have the same behavior. I have not tried installing while logged on as the local Administrator. I may try that.


Thank you all for the questions and suggestions. Keep them coming.


Also, seeing that it appears ldap_bind_s is failing, I tried, while logged as the domain Administrator, opening ldp (Start > Run > ldp). In there, I can connect to any one of our Domain Controller servers with SSL on port 636, and then Bind as the currently logged on user.

53 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)

res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3

  {NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}

Authenticated as: 'NULL'.

Message was edited by: pgn674. Added ldap_bind_s test.

0 Kudos
resurento
Contributor
Contributor
Jump to solution

Hi all,

I got mine solved ! Error Upgrading vCenter Single Sign-on to 5.5 Especially the steps at the end ...

* Delete only content of CIS -directory. Leave the dir itself in place.

* Manually install Vmware-python package (folder \\VMware-VIMSetup-all-5.5.0-1312299\Single Sign-On\prerequisites\VMware-python.msi, then re-install SSO.)

* Restart SSO install --> Pass.

Good luck,

Resu

0 Kudos
pgn674
Enthusiast
Enthusiast
Jump to solution

I tried logging in as the local Administrator and running the install. I got no message suggesting that's a bad idea, and I got the same rollback and error logs.

resurento, I'm glad you got yours working. I tried deleting the contents of both C:\Program Files\VMware\CIS and C:\ProgramData\VMware\CIS, and running the Python installer (by double clicking it; it seemed to run through a full install). But, I still got the same errors.

0 Kudos
pgn674
Enthusiast
Enthusiast
Jump to solution

I found the log file C:\ProgramData\VMware\CIS\logs\vmdird\vdcpromo.log. In there, I saw:

2013-09-26 12:04:50.654:t@8500560:INFO: Reading Reg: ConfigPath

2013-09-26 12:04:50.654:t@8500560:ERROR: Error message (VmDirPrepareOpensslClientCtx() failed), error code (9120)

2013-09-26 12:04:50.654:t@8500560:VERBOSE: ldap_initialize: ldaps://localhost:11712 (DN='')

2013-09-26 12:04:51.715:t@8500560:INFO: Vmdir instance ready for LDAP service

2013-09-26 12:04:51.715:t@8500560:VERBOSE: InstallParameterPath: C:\ProgramData\vmware\cis\cfg\install-defaults\

2013-09-26 12:04:51.715:t@8500560:VERBOSE: InstallParameterFile: C:\ProgramData\vmware\cis\cfg\install-defaults\system.urlhostname

2013-09-26 12:04:51.715:t@8500560:VERBOSE: VmDirReadInstallParameter failed. Error(32)

These happen some 5 seconds before the decisive 1603 error, but I thought it might contribute. So I tried following the steps in KB 2059131 (VMware KB: Reinstalling vCenter Single Sign-On 5.5 stops after displaying the message: C.... They did not help.

I've attached the vdcpromo.log file. I think these log files use standard Windows System error codes, so I've copied the ones we've seen so far below:

ERROR_INSTALL_FAILURE

1603 (0x643)

Fatal error during installation.

ERROR_LOGON_FAILURE

1326 (0x52E)

The user name or password is incorrect.


DNS_ERROR_ROLLOVER_ALREADY_QUEUED

9120 (0x23A0)

The specified signing key is already queued for rollover.


ERROR_SHARING_VIOLATION

32 (0x20)

The process cannot access the file because it is being used by another process.

There are a couple facts of my environment that might shed some light:

Before creating this VM, I had another one with vCenter and SSO 5.1 installed. After the SSO upgrade kept failing, I renamed that machine, and turned it off. This new one was using the name of that old one.

Our DC's are not our DNS servers. Out DNS is served up by named on Linux machines. My predecessor had copied all the _msdcs and such DNS entries over to named as SRV and NS records. The NS records point to the DC's, and the DC's are serving DNS. We have had no trouble with our domain DNS in a long time.

0 Kudos
pgn674
Enthusiast
Enthusiast
Jump to solution

So I tried removing the machine from the domain, and SSO still failed to install with all the same errors. This leads me to believe that the installer fails because the user name or password is incorrect when it tries to authenticate via LDAP over SSL against its own, just-created Active Directory server.

I saw some messages about adding Windows Firewall exceptions for port 11712. I tried turning off the Windows Firewall and installing SSO. It did not help.

0 Kudos
yupoy
Contributor
Contributor
Jump to solution

I was getting this same SSO 5.5 error because the machine hosting SSO did not have a fully qualified host name configured in Windows.  Once I configured a primary DNS suffix (system properties in Control Panel), SSO installed successfully. 

0 Kudos
tbpoisb
Contributor
Contributor
Jump to solution

changing the FQDNip from ipadres to FQDN helped for me passing the installation and not having to rollback for the 5th time.....

here is the key  change value from IP to  <servernaam.domain.loc>  HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Infrastructure\SSOServer\FqdnIp

0 Kudos
pgn674
Enthusiast
Enthusiast
Jump to solution

yupoy, my Primary DNS Suffix is already configured correctly.

tbpoisb, I do not have a SSOServer inside HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Infrastructure.

I have tried a few more things:

  • Removing all traces of VMware from the system, including VMware Tools. I:
    • Uninstalled all VMware items in Programs and Features.
    • Made sure there were no more services left.
    • Deleted all VMware files from C:\Program Files\VMware, C:\ProgramData\VMware, and the Start menu.
    • Deleted Registry entries for VMware, vCenter, Single Sign-On, and SingleSignOn.
      • I did not clear out all the Components in the registry; there are way too many of those.
  • Using a local session instead of remote desktop.
  • Clearing temporary files.
  • I checked the ISO file's MD5SUM and SHA1SUM; they both check out.
  • Following the steps in KB 1016563: VMware KB: Installing VMware Tools on a Windows guest fails with the error: The system administrator...
  • Uninstalling and then manually installing all the items in (VMware-VIMSetup-all-5.5.0-1312299.iso)\Single Sign-On\prerequisites\
0 Kudos
godbucket
Enthusiast
Enthusiast
Jump to solution

I received tons of errors when trying to upgrade SSO from 5.1 Update 1 (not fresh install or upgrading from 5.0) but it was early in the morning before my coffee and I was RDP'd into the server. Tried using direct console via viclient and it got further but still "ended prematurely because of an error". Ridiculous. I wonder if anyone has had any success with upgrading with this image/build....

0 Kudos
pgn674
Enthusiast
Enthusiast
Jump to solution

I got it. I figured it out. And it is ridiculous.

I need to run now, but I'll give you the solution. During the Single Sign-On installation, it asks you to create a password for the new administrator account in the new vcenter.local domain, in the new local Active Directory server. And this password, which it asks you to type twice like you would for any new password you create for any new account, must be the same as the preexisting local Windows Administrator account password.

Seriously. There is nothing in the installer or in the logs or in the documentation that even so much of hints at a suggestion that this might be a requirement. And the Windows Domain Administrator account's password won't work. It must be the local Windows Administrator account password. And, it must follow certain password restrictions (at least eight characters, at least one lowercase character, etc.).

When I have some time later, I'll give a better write up of just how ridiculous this is.

0 Kudos
ilmara
Contributor
Contributor
Jump to solution

Hello,

I'll try it tomorrow to see if it fixes the issue for me (given the description I really think it's the same). Meanwhile, congratulations on your perseverance and thanks a lot for the hours it must have cost you!

0 Kudos
himmie
Contributor
Contributor
Jump to solution

Just tried using the same password as local admin (which was accepted by the password requirements) and it failed again with 1603.

I have a case open with VMware at the moment, will post if I hear anything back.

Nothing but issue with SSO on the install since they introduced it as a requirement in 5.1. Really which they didn't make it mandatory.

0 Kudos
raog
Expert
Expert
Jump to solution

pgn674: I dont think there is such requirement, i have different passwords for my local Windows admin and administrator@vsphere.local and SSO 2.0 installed correctly..

Regards

Girish

To Virtualization and beyond! PS::If you felt the answer as helpful, please mark it as helpful/answered so that it helps other users as well! Blog:: www.virtualtipsntricks.com
0 Kudos
ilmara
Contributor
Contributor
Jump to solution

Same here, it didn't help, still the same issue.

0 Kudos
Terry3
Contributor
Contributor
Jump to solution

Resurento's solution worked for me. Thanks!!!

* Delete only content of CIS -directory. Leave the dir itself in place.

* Manually install Vmware-python package (folder \\VMware-VIMSetup-all-5.5.0-1312299\Single Sign-On\prerequisites\VMware-python.msi, then re-install SSO.)

* Restart SSO install --> Pass.

0 Kudos