When starting with vCenter Orchestrator (Nowadays vRealize Orchestrator), you can choose for an installation a windows host or a virtual appliance. Both options are pretty straight forward, but still I came across some points of interest when getting it all up and running.

As far as I know, there are no differences between the windows install and the virtual appliance. The only thing you have to keep in mind is that the virtual appliance cannot use powershell natively, because powershell needs windows. So if you want to use the virtual appliance and you want to use powershell in your workflows, you’ll also have to install a powershell host (Link) (Link).

Now for the things I came across when configuring vCO:

1. When you installed vCO on a Windows host and you don’t get the configuration page to show, check if the vCO configuration service is started (By default this is not the case).
   
2. Outbound firewall port 8287 must be opened on the client. Otherwise you’ll be prompted with “ERROR [VSOFactoryClient] javax.jms.JMSException: Failed to create session factory”.
   
3. Import the certificate of vCenter into the vCO server before you add it. If you don’t, you will not be able to add vCenter to the vCO server and you’ll see an error stating: “com.vmware.vim.vmomi.client.exception.SslException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified”.
   To import the certificate of the vCenter server, go to Network à SSL Trust Manager tab and select “Import from URL”.
   
4. When using SSO with an Active Directory for authentication, make sure to check “Use Global Catalog”.
   
5. If the vCO admin group cannot be found, try the search option. I’m sure I typed the string correctly, but vCO said it could not be found. When I used the “Search” option, it suddenly worked.
   
6. When putting in the “User lookup base”, be aware that all users – including the vCO administrators – have to be in that OU. I had my vCO users in that OU, but my vCO admins in a different OU. This will not work! If you try to login with such a configuration, you’ll get the following error: “ERROR [VcoFactoryFacade] Unable to login (Ex: javax.security.auth.login.LoginException: [0002]User is not authorized!)” or “Invalid Username\Password”. So get all your vCO users and admins in the same OU. The user and admin groups, can be in different OU’s.
   
7. The vCO client has to be the same version as the vCO server. There is no backward compatibility, so always use the same version for the client and the server. Otherwise you’ll get the following error: “javax.jms.JMSException: Timed out waiting for responds (client-Java timeout-java.jms.JMSException)”
   
8. By default the vCO Web Operator is not enabled. If you try the URL, you’ll get a message like “Not published webview error The webview ‘weboperator’ is not published.”. This can simply be solved by logging in to the vCO Client and choosing “administer mode”. In the webviews tab, select weboperator, right-click and publish.