kubectl vsphere login fails with "Failed to get available workloads: bad gateway"
search cancel

kubectl vsphere login fails with "Failed to get available workloads: bad gateway"


Article ID: 313102


Updated On:


VMware vSphere ESXi VMware vSphere with Tanzu



When trying to connect to Supervisor clusters as Active Directory User, kubectl login fails with

kubectl vsphere login --server <KUBERNETES-CONTROL-PLANE-IP-ADDRESS> -u <AD USER>
level=fatal msg="Failed to get available workloads: bad gateway\nPlease contact your vSphere server administrator for assistance." Error: exit status 1



VMware vSphere 7.0 with Tanzu


The Auth proxy logs on Supervisor VM shows the login failing with 502 error for the AD user:

2022-08-09T12:55:41.893672642Z stderr F ERROR:vclib.wcp:[140194735557136] WCP request failed.
2022-08-09T12:55:41.894080177Z stderr F INFO:server:[140194735557136] "" - - [09/Aug/2022:12:55:41 +0000] "GET /wcp/workloads HTTP/1.0" 502 46 "-" "kube-plugin-vsphere bld 18647806 - cln 9232193" "<AD USER>"


The vpxd-svcs.log logs show that Principal Name configured in AD server is invalid. The User is a member of an Active Directory group whose name contains a special character, ie @ in this case.

2022-08-09T12:55:41.889Z [tomcat-exec-106 ERROR com.vmware.cis.core.authz.accesscontrol.impl.AuthzServiceBaseImpl opId=ca4aaf01-8bb7-4f9e-b4b8-0e3679659899] Store Exception
java.lang.IllegalArgumentException: Invalid principal name <USER GROUP>@NAME@DOMAIN>
  at com.google.common.base.Preconditions.checkArgument(Preconditions.java:217)
  at com.vmware.cis.core.util.NormalizedPrincipalHelper.getNormalizedPrincipal(NormalizedPrincipalHelper.java:30)



This issue has been resolved in vCentre Server 7.0 Update 3f


As a workaround, please do not use Active Directory groups with a "@" character in the name. If this is not an option, remove affected users from such groups.