We have started using the vCenter Virtual Appliance for vSphere 5.5, and plan to move all our clusters over here really soon now! The last week there has also been a process of replacing the old 2008r2 Active Directory servers with new 2012r2's. My experience is that SSO isn't very good at adapting changes in the AD domain controllers in AD. When the primary DC used by SSO goes down, the time it takes to log in to the web client increases dramatically.
The first time we experienced this, we just rebooted the vCenter Server Appliance the Windows-way, but when it happened today I took the time to find another way of fixing it. It seems like it's the SSO Identity Management Service, vmware-sts-idmd, that needs a restart:
vcsa-test:~ # service vmware-sts-idmd restart Stopping VMware STS IDM Server ... done Starting VMware STS IDM Server ... done vcsa-test:~ #
The logfile of interest was /var/log/vmware/sso/vmware-sts-idmd.log (there might be others of interest that I didn't check).
I also found some interesting lines where SSO complains about a domain that our primary domain has a trust relationship with, which again reminds me of a problem with SSO on 5.1 hanging as it wasn't able to talk to the DC's in such a trusted domain (due to some changes in the ACL's). This makes me wonder if we should consider LDAP as the identify provider in SSO over Active Directory...