Remove orphaned vCenter Server from SSO domain

After my „little“ homelab outage last year and the delivery of a new SSD I found some time to redeploy the nested cluster quite some time ago. During the preparation to my VCAP-DCV Deploy exam I deployed a second VCSA (vCenter Server Appliance) on my old Intel NUC and joined them to a single SSO domain to learn and try different things in the linked mode setup. That’s the reason why I received the „Could not connect to one or more vCenter Server Systems: https://<vcsaFQDN>:443/sdk“ every time I logged in to the second VCSA. Because I planned to redeploy the nested environment using the same IPs/FQDNs I wanted to make sure the orphaned VCSA is cleanly removed from the SSO configuration. This week one of my customers asked me for help with the same problem.A quick search and I found the following VMware KB article (again): Using the cmsso command to unregister vCenter Server from Single Sign-On (2106736). This time I decided to write a short blog post on the topic.

After I briefly skimmed the KB article, I jumped directly to the section „Process to decommission a vCenter Server“ – „vCenter Server Appliance“. Because the first VCSA was already decommissioned my only option was to login to the remaining VCSA via SSH and start the Bash Shell (in case you haven’t already enabled it you need to enable it first: shell.set –enabled true).

SSH into remaining VCSA and start Bash Shell

To unregister the orphaned VCSA you need to use the cmsso-util unregister command. Find the correct syntax below:

cmsso-util unregister --node-pnid <vcsaFQDN/vcsaIP> --username administrator@<SSO-domain> --passwd <SSO-password>

Once you’ve executed the command, you must wait. Your screen will say „Done running command„.

Executing cmsso-util unregister

Please stay patient. It takes some time (for me it took about five minutes) before anything else was shown in the SSH session. You will see something like „Stopping services“. After about another five minutes, your prompt should say „Success“.

I skipped steps 4 and 5 of the KB at this point because the VCSA was already switched off and deleted before I started the procedure. So I logged in to the second VCSA for testing purposes and discovered the following: I no longer received the error message.


The process on how to remove an orphaned VCSA from the SSO domain is quite straight forward. The KB article from VMware provides all steps necessary for this task. Only the waiting time after „Done running command“ could perhaps be mentioned. For an impatient person like me, the five minutes made me quite nervous.