When I tried to upgrade my vCenter 5.0U1 Server to 5.1, all seemed to go well, up until the the moment vCenter tried to register with SSO.
I received an error message “Error 29107. The service or solution user is already registered. Check Vm_ssoreg.log in system temporary folder for details”
I checked this log, but it did not really point me in to the right direction.
Then I found a post in the 5.1 beta archive that said the unique identifier for a service to register with SSO is the Common Name from its certificate.
Since I installed a wildcard certificate for both the vCenter Server and the Inventory Service, I thought this could be an issue, since both services have the same Common Name in that case.
I restored a backup of my vCenter Server, and then replaced my wildcard certificate by the default VMware certificates that where installed during the installation of my original vCenter Server, and retried upgrade. This time my upgrade finished successfully.
Since a commercial wildcard certificate always has the same Common Name, I do think that since the introduction of SSO in 5.1 and the way it uses the Common Name to distinguish between services, wildcard certificates can no longer be used for vCenter and its services unfortunately.
I hope someone can prove me wrong …
Update:
There is a KB article regarding this issue that can be found here
Actually you need to have a unique organizationUnit value. You can have the same common name (and I guess wildcard) for say Inventory, vCenter Server, Web Client and Update Manager if they were all installed on the same VM. Having a unique OU or a second OU attribute would suffice and allow SSO to differentiate between the services.
Since its a commercial wildcard cert, I dont think you can change the OU, this has already been set upon creation hasn’t it? if that is the case that would render commercial wildcard certs useless.
Instead you have to buy and maintain up to 6 different certs from what I can tell, I tried contacting vmware but they can’t help with certs as its a third party piece of software and they can’t point to any consultants that has any experience with this, im pretty dissapointed at this point.
If anyone stumbles upon a solution I hope they will share it with the world.