This KB article is applicable to customers utilizing UAA for Concourse Authentication and Concourse for VMware Tanzu 3.13 and above.

After executing fly login and accessing the URL provided by the CLI, you are redirected to a blank page that says either "Failed to Exchange Token" or "Verification Failed".

You will see messages similar to to the messages below in atc.stdout.log, located on the web VM:

{"timestamp":"1564673871.806711912","source":"atc","message":"###.#####.user.not-authorized","log_level":0,"data":{"session":"5.9590"}}

You can determine if your UAAC user's credentials are correct by following this procedure:

1. Retrieve your client-id and secret used in your "fly set-team" command:

$ fly -t concourse set-team -n <Team name> --uaa-auth-client-id <UAAC USER> --uaa-auth-client-secret <SECRET> --uaa-auth-auth-url <URL> --uaa-auth-token-url <URL> --uaa-auth-cf-url <URL> --uaa-auth-cf-space <Space-guid> --uaa-auth-cf-ca-cert certfile

2. Use the uaac target uaa.YOUR-DOMAIN command to target your UAA server.

$ uaac target uaa.example.com

3. Attempt to login to UAA with the <UAAC USER> retrieved in step 1:

uaac token client get <USER> -s <SECRET>

4. If the previous command fails, your username or password credentials are wrong. To resolve this, login as an admin user:

$ uaac token client get admin -s MyAdminSecret

Note: You can retrieve the admin secret by navigating to your Ops Manager FQDN > TAS Tile > Credentials tab > UAA > "Admin Client Credentials".

5. Change the user's password:

$ uaac password set <USER-NAME> -p <NEW-PASSWORD>

6. Update your set-team command from step 1 to include the new password from step 5, and run the command.

7. Execute a fly login and navigate to the browser URL given one more time. You should now be authenticated as your UAA user and be able to execute further fly commands.