This problem pissed me off for a while last night when I was trying to rebuld my lab after being on the road for a while.

I almost always deploy a VCSA and configure it with defaults on the wizard and then customize the IP, Hostname, Time, etc later. This finally came back to bite me and it was only with vCAC.

I know to regenerate the certificates after setting the IP and hostname but I didn’t realize that there are entries on the VCSA that don’t update.

When trying to join the SSO instance on the appliance from the vCAC appliance I was greeted with the following extremely generic message.


I have had this happen before and I almost always assume it’s time or DNS so I checked the consoles


Welp….I started going through the vCAC logs but I wasn’t able to find anything due to it not being really configured.

With a bit of googling I found this

I decided to hit the SAML Metadata URL to see if something was broken. I have seen it before not matching


That is not my hostname and is the old DHCP address

So I started to dive into the VCSA and check out the logs

Under /var/log/vmware/sso I was going through the vmware-identity-sts.log file and found the following messages


That appears to be the original IP and not the that I have in DNS. After verifying that the IP was correct and that forward and reverse lookups were working…I had to start looking at the VCSA itself.

Since the error was in the vmware-identity log I decided to look in /etc/ and there was a sub directory for vmware-identity. Going through that I found these 2 files


And when you cat out these files you find the old entries.



You need to stop vpxd and idmd because it will just keep re-writing this file over and over which I didn’t notice for a good 2 minutes.



Now go ahead and edit the files. I didn’t want to go through and do it by hand so I just used this string

sed -i s/

For the hostname file you actually want your fqdn instead of the ip

sed -i s/ hostname.txt

That will go through and replace with So just change the values to your IPs / hostname and you are good to go

Go ahead and start the services again


Let’s check the SAML metadata by heading to


Looks like the updates took place!

Try to join vCAC to SSO again



Huzzah! I can’t wait for something else to break.