OVF deployment fails in vSphere Web Client with "Unable to authenticate user 'vapi.security.authentication.invalid'
Article ID: 305768
Updated On: 04-14-2025
Products
VMware vCenter Server
Issue/Introduction
- OVF deployment using vSphere Web Client fails
- The error message is:
Unable to authenticate user'vapi.security.authentication.invalid'
- /var/log/vmware/vpxd/vpxd.log contains the following entries:
####-##-##T##:##:##:##Z info vpxd[10578] [Originator@6876 sub=vpxLro opID=25c4c0e0-01-01-01] [VpxLRO] -- BEGIN lro-5545 -- -- VmprovWorkflow -- ####-##-##T##:##:##:##Z info vpxd[10578] [Originator@6876 sub=vpxLro opID=25c4c0e0-01-01] [VpxLRO] -- BEGIN lro-5544 -- -- ResourcePool.ImportVAppLRO -- ####-##-##T##:##:##:##Z info vpxd[10578] [Originator@6876 sub=vpxLro opID=25c4c0e0-01] [VpxLRO] -- BEGIN task-238296 -- Resources -- ResourcePool.ImportVAppLRO – ####-##-##T##:##:##:##Z info vpxd[10578] [Originator@6876 sub=vpxLro opID=25c4c0e0-01-01-01] [VpxLRO] -- FINISH lro-5545 ####-##-##T##:##:##:##Z info vpxd[10578] [Originator@6876 sub=vpxLro opID=25c4c0e0-01-01] [VpxLRO] -- FINISH lro-5544 ####-##-##T##:##:##:##Z warning vpxd[10578] [Originator@6876 sub=vpxUtil opID=25c4c0e0-01] getaddrinfo failed; host: host.domain.tld, e: N7Vmacore15SystemExceptionE(Name or service not nown) ####-##-##T##:##:##:##Z info vpxd[10578] [Originator@6876 sub=MoHttpNfcLease opID=25c4c0e0-01] Host URL: https://host.domain.tld/nfc/52d6fa06-186a-096c-6f4f-1c252d37b626/, target ID: disk-0.vmdk ####-##-##T##:##:##:##Z info vpxd[10578] [Originator@6876 sub=MoHttpNfcLease opID=25c4c0e0-01] Host URL: https://host.domain.tld/nfc/52d6fa06-186a-096c-6f4f-1c252d37b626/, target ID: disk-1.vmdk ####-##-##T##:##:##:##Z info vpxd[10438] [Originator@6876 sub=vpxLro opID=l45cyhm9-117-h5:70000435-b2] [VpxLRO] -- BEGIN lro-5560 -- ChangeLogCollector -- vim.cdc.ChangeLogCollector.waitForChanges -- 520f17e8-99e1-812e-5c9f-83b98d3n9bfbf(523333db-a732-f1a5-b192-14496f9d7733) ####-##-##T##:##:##:##Z warning vpxd[10519] [Originator@6876 sub=AuthorizeManager opID=2ffb9116] Refresh function is not configured.User data can't be added to scheduler.User name: VSPHERE.LOCAL\machine-4e5a3746-6e1f-499f-8c84-126e15866b9c ####-##-##T##:##:##:##Z info vpxd[10578] [Originator@6876 sub=VAppImport opID=25c4c0e0-01] Removing VM [vim.VirtualMachine:vm-70302,TOPdesk] due to failed import ####-##-##T##:##:##:##Z info vpxd[10872] [Originator@6876 sub=MoHttpNfcLease opID=2853f0db] Task aborted ####-##-##T##:##:##:##Z info vpxd[10872] [Originator@6876 sub=vpxLro opID=2853f0db] [VpxLRO] -- FINISH lro-5607 ####-##-##T##:##:##:##Z info vpxd[10497] [Originator@6876 sub=vpxLro opID=1ee9ce8c] [VpxLRO] -- BEGIN lro-5608 -- task-238295 -- vim.Task.setState -- 521e349d-dc35-d657-31a8-300beec6e7b5(52729413-3d60-a09c-e9b8-76d719580967) ####-##-##T##:##:##:##Z info vpxd[10497] [Originator@6876 sub=vpxLro opID=1ee9ce8c] [VpxLRO] -- FINISH lro-5608 ####-##-##T##:##:##:##Z warning vpxd[10590] [Originator@6876 sub=vmomi.soapStub[23] opID=TaskLoop-host-58319] SOAP request returned HTTP failure; <SSL(<io_obj p:0x00007f1d20616b38, h:60, <TCP '###.###.###.###: 43434'>, <TCP '###.###.###.### : 443'>>), /vpxa>, method: waitForUpdates; code: 500(Internal Server Error) ####-##-##T##:##:##:##Z info vpxd[10578] [Originator@6876 sub=VAppImport opID=25c4c0e0-01] Done cleaning up after failed import ####-##-##T##:##:##:##Z info vpxd[10578] [Originator@6876 sub=vpxLro opID=25c4c0e0-01] [VpxLRO] -- FINISH task-238296 ####-##-##T##:##:##:##Z info vpxd[10578] [Originator@6876 sub=Default opID=25c4c0e0-01] [VpxLRO] -- ERROR task-238296 -- TOPdesk -- ResourcePool.ImportVAppLRO: vim.fault.OvfImportFailed: --> Result: --> (vim.fault.OvfImportFailed) { --> faultCause = (vmodl.fault.SystemError) { --> faultCause = (vmodl.MethodFault) null, --> faultMessage = (vmodl.LocalizableMessage) [ --> (vmodl.LocalizableMessage) { --> key = "vapi.bindings.method.impl.unexpected", --> arg = (vmodl.KeyAnyValue) [ --> (vmodl.KeyAnyValue) { --> key = "0", --> value = "com.vmware.vapi.std.errors.Unauthenticated: Unauthenticated (com.vmware.vapi.std.errors.unauthenticated) => { --> messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => { --> id = vapi.security.authentication.invalid, --> defaultMessage = Unable to authenticate user, --> args = [], --> params = <null>, --> localized = <null> --> }], --> data = <null>, --> errorType = UNAUTHENTICATED, --> challenge = <null> - /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log contains the following entries:
-
####-##-##T##:##:##:##Z [ERROR] http-nio-5090-exec-13 70000539 100036 200007 c.v.v.c.p.impl.ProvisioningResourcePoolMutationProvider Error when deploying a template with spec: com.vmware.vsphere.client.provisioning.spec.DeployOnResourcePoolSpec { name = TOPdesk inOvfMode = true inVmMode = true parameters = java.lang.Object[]:[] com.vmware.vsphere.client.provisioning.workflow.Workflow { } com.vmware.vsphere.client.provisioning.ovf.OvfSessionError: Die Methodenimplementierung des Anbieters hat eine unerwartete Ausnahme erzeugt: com.vmware.vapi.std.errors.Unauthenticated: Unauthenticated (com.vmware.vapi.std.errors.unauthenticated) => { messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => { id = vapi.security.authentication.invalid, defaultMessage = Unable to authenticate user, args = [], params = <null>, localized = <null> }], data = <null>, errorType = UNAUTHENTICATED, challenge = <null> } at com.vmware.vsphere.client.provisioning.ovf.impl.OvfDeployServiceImpl.deployOvf(OvfDeployServiceImpl.java:257) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:205) at com.sun.proxy.$Proxy441.deployOvf(Unknown Source) at com.vmware.vsphere.client.provisioning.impl.ProvisioningResourcePoolMutationProvider.add(ProvisioningResourcePoolMutationProvider.java:104) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.vmware.vise.data.provider.DelegatingServiceBase.invokeProviderInternal(DelegatingServiceBase.java:401) at com.vmware.vise.data.provider.DelegatingServiceBase.delegate(DelegatingServiceBase.java:116) at com.vmware.vise.data.mutation.impl.MutationServiceImpl.add(MutationServiceImpl.java:94) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:205) at com.sun.proxy.$Proxy381.add(Unknown Source) - /var/log/vmware/vapi/endpoint/endpoint.log contains the following entries:
####-##-##T##:##:##:##Z | WARN | vAPI-I/O dispatcher-0 | SessionApiSecurityUtil | Failed to create child session with session manager com.vmware.cis.session for session vpxd-extension-4e5a3746-6e1f-499f-8c84-126e15866b9c@vsphere.local (internal id d7ba7638-af34-4936-b6be-7ae29f83e629, token 71a34...). com.vmware.vapi.std.errors.unauthenticated => {data=<unset>, error_type=UNAUTHENTICATED, messages=[com.vmware.vapi.std.localizable_message => {args=[], default_message=Unable to authenticate user, localized=<unset>, id=vapi.security.authentication.invalid, params=<unset>}]} at com.vmware.vapi.endpoint.auth.impl.SessionApiSecurityUtil.onLoginResult(SessionApiSecurityUtil.java:248) at com.vmware.vapi.endpoint.auth.impl.SessionApiSecurityUtil.access$500(SessionApiSecurityUtil.java:43) at com.vmware.vapi.endpoint.auth.impl.SessionApiSecurityUtil$2.setResult(SessionApiSecurityUtil.java:230) at com.vmware.vapi.endpoint.auth.impl.SessionApiSecurityUtil$2.setResult(SessionApiSecurityUtil.java:220) at com.vmware.vapi.endpoint.session.SessionFacade$1.setResult(SessionFacade.java:110) at com.vmware.vapi.endpoint.session.SessionFacade$1.setResult(SessionFacade.java:92) at com.vmware.vapi.internal.protocol.client.msg.json.JsonApiProvider$ResponseCallbackImpl.setResult(JsonApiProvider.java:438) at com.vmware.vapi.internal.protocol.client.msg.json.JsonApiProvider$ResponseCallbackImpl.received(JsonApiProvider.java:395) at com.vmware.vapi.internal.protocol.client.msg.json.JsonApiProvider$1.received(JsonApiProvider.java:482) at com.vmware.vapi.endpoint.api.ResponseSizeLimitingClient$ResponseSizeLimitingCallback.received(ResponseSizeLimitingClient.java:93) at com.vmware.vapi.internal.protocol.client.rpc.http.handle.NioSingleResponseConsumer.responseCompleted(NioSingleResponseConsumer.java:56) at com.vmware.vapi.internal.protocol.client.rpc.http.handle.NioDecoratorConsumer.responseCompleted(NioDecoratorConsumer.java:45) at org.apache.http.impl.nio.client.MainClientExec.responseCompleted(MainClientExec.java:383) at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.responseCompleted(DefaultClientExchangeHandlerImpl.java:172) at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.processResponse(HttpAsyncRequestExecutor.java:448) at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.inputReady(HttpAsyncRequestExecutor.java:338) at org.apache.http.impl.nio.DefaultNHttpClientConnection.consumeInput(DefaultNHttpClientConnection.java:265) at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:81) at org.apache.http.impl.nio.client.InternalIODispatch.onInputReady(InternalIODispatch.java:39) at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:114) at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591) at java.lang.Thread.run(Thread.java:748) ####-##-##T##:##:##:##Z | WARN | jetty-default-34 | RequestRateLimitedProvider | User name cannot be obtained.
Environment
VMware vCenter Server 7.0.x
Cause
This issue is caused when the STS signing cert chain only contains the leaf and the intermediate (VMCA) certs, while the VMCA root certificate has been replaced with a CA signed certificate.
It can also occur when the vCenter sizing is not up to the requirements for the inventory it manages.
Resolution
Note: Please make sure that a fresh backup or offline snapshot of the vCenter Server has been created. If the vCenter Server is part of a Linked Mode setup, please ensure that all members of the Linked Mode have been backed up.
To fix this, generate new STS signing cert chain using this procedure:
- Connect to the vCenter Server Appliance per SSH and login as root
- Change into the BASH shell by running:
# shell - Create a new certificate
- create a folder in / to hold the new certificate and verify the location of the folder:
# mkdir /newsts # cd /newsts # pwd - copy certool.cfg into the new folder:
# cp /usr/lib/vmware-vmca/share/config/certool.cfg /newsts - using a command-line editor such as Vim, open your copy of the certool.cfg file and edit it to use the local vCenter Server IP address and hostname. The country is required and has to be two characters, as shown in the following example:
# # Template file for a CSR request # # Country is needed and has to be 2 characters Country = US Name = STS Organization = ExampleInc OrgUnit = <OrgUnit> State = <State> Locality = <Locality> IPAddress = <vCenter_IP_Address> Email = <email> Hostname = <vCenter_FQDN> - Generate the key:
# /usr/lib/vmware-vmca/bin/certool --server localhost --genkey --privkey=/newsts/sts.key --pubkey=/newsts/sts.pub - Generate the certificate:
# /usr/lib/vmware-vmca/bin/certool --gencert --cert=/newsts/newsts.cer --privkey=/newsts/sts.key --config=/newsts/certool.cfg - add the file with the CA root to the chain so the resulting pem consists of leaf certificate, intermediate certificate, root certificate, key (from top to bottom):
# cat /newsts/newsts.cer /var/lib/vmware/vmca/root.cer <CA-ROOT-FILE> sts.key > /newsts/newsts.pem
- create a folder in / to hold the new certificate and verify the location of the folder:
Note: If the VMCA Root certificate was replaced against a custom CA certificate in the past, <CA-ROOT-FILE> needs to be provided as a chain of the certificate from the external CA, by which the current VCMA root certificate was signed down to the root CA. If the VMCA root certificate is a self-signed certificate, <CA-ROOT-FILE> is not needed.
- Update the STS signing certificate:
# /opt/vmware/bin/sso-config.sh -set_signing_cert -t vsphere.local /newsts/newsts.pem - Once the new STS certificate chain has been updated, any old trusted cert chains need to be removed from VMDir using Jxplorer.
- Verify that there is a new TrustedCertChain-3:
cn=TrustedCertChain-3,cn=TrustedCertificateChains,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local - Delete these 2:
cn=TrustedCertChain-1,cn=TrustedCertificateChains,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local cn=TrustedCertChain-2,cn=TrustedCertificateChains,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
- Verify that there is a new TrustedCertChain-3:
6. Restart the vCenter Server system, and any other vCenter Server system that is part of an Enhanced Linked Mode configuration.
7. Retry the OVF deployment
Feedback
Was this article helpful?
Yes
No
Powered by
