Error 81 When trying to join new SSO to existing SSO domain

By | February 8, 2016

This is a very unusual issue that I ran into.

I am prepping for my upgrade to vCenter 6, as part of this process I am moving the SSO functionality from an internal process to a process living on an external server. In my non-prod environment I have four new external SSO servers for the corresponding vCenters. I installed SSO on the first server and installed saying it was the ‘first’ in the SSO domain. The subsequent servers (two and three) were installed using multi-site option (option three) and pointed to the first server as the partner. No problems up to this point.

Once I went to the fourth server, once I put in the partner server and the password I ran into issues. I got the following error: “Hostname could not be resolved or there was a connection error. Attempting to connect returned error 81.”

I did some pings and nslookup from the fourth server back to the first and everything was fine. I tried IP address in the install wizard with the same problem. At this point I opened up a case with VMware. After 30 minutes or so the TSE found an internal KB that references a Microsoft KB:

Basically, f you run into “Error 81” when partnering a new SSO server in multi-site mode to an existing SSO, then you may need to restrict the server to use a subset of encryption. The Microsoft KB find the regsitry key for the encryption options. Compare which protocols are available on the existing SSO and match that with the new SSO server. Remove any protocols that are not needed (in my case TLS). I don’t know why the fourth server was the only one that had any problems (they were all Windows 2012) but this fixed my issue pretty quickly.


Leave a Reply

Your email address will not be published. Required fields are marked *