Logging in to vSphere web client fails with error: The login request has expired due to a clock synchronization issue between vSphere Web Client and vCenter Single Sign-On server
search cancel

Logging in to vSphere web client fails with error: The login request has expired due to a clock synchronization issue between vSphere Web Client and vCenter Single Sign-On server

book

Article ID: 322236

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • Attempting to log in to the VMware vSphere Web Client fails with error:
The login request has expired due to a clock synchronization issue between vSphere Web Client and vCenter Single Sign-On server https://sso_fqdn:7444/sts/STSService/vsphere.local
  • Logging in to vSphere Client fails with the error message:
Vpx::Common::Sso::DomainUnresolvedExceptions(RemoteGetDomainNames RuntimeServiceFault expression: sso.fault.RuntimeServerFault
  • In C:\ProgramData\VMware\CIS\runtime\VMwareSTS\logs\ vmware-identity-sts.log file, you see message similar to:
Signing certificate is not valid at <YYYY-MM-DD>, cert validity: TimePeriod [startTime=<YYYY-MM-DD>,endTime<YYYY-MM-DD>
Note: This article is applicable for vCenter Server 5.x only, please follow the KB Checking Expiration of STS Certificate on vCenter Server for 6.x / 7.x environments

Environment

VMware vCenter Server 5.5.x
VMware vCenter Server Appliance 5.5.x

Cause

This issue is due to expiration of a previously replaced Secure Token Service (STS) certificate.

Resolution

To resolve this issue, reset the STS certificate to default certificate.

Note: Check the ssoserverSign.crt and ssoserverRoot.crt located at c:\ProgramData\VMware\CIS\cfg\vmware-sso to see if the certificates are expired or valid.

To
reset the STS certificate:

For vCenter server:
  1. Open an elevated command prompt.
  2. Stop the STS Service by running the command:

    net stop VMwareSTS

     
  3. Navigate to default vmware-sso directory

    cd c:\ProgramData\VMware\CIS\cfg\vmware-sso

     
  4. Run this command to re-install the STS with the default STS certificate:

    "c:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components\bin\java.exe" -cp "c:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\*;c:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\lib\*;.;*" com.vmware.identity.installer.STSInstaller --install --root-cert-path ssoserverRoot.crt --cert-path ssoserverSign.crt --private-key-path ssoserverSign.key --retry-count 2 --retry-interval 30

     
  5. Start the STS Service by running this command:

    net start VMwareSTS

For vCenter Server Appliance (VCSA):
  1. Take an SSH connection to the affected VCSA machine(s) and execute these commands line by line:

    export JAVA_BIN=/usr/java/jre-vmware/bin/java
    export CLASSPATH=/opt/vmware/lib64/*:/usr/lib/vmware-sso/commonlib/*
    export _SSO_ROOT_CERT_X509=/etc/vmware-sso/keys/ssoserverRoot.crt
    export _SSO_SIGNING_LEAF_CERT_X509=/etc/vmware-sso/keys/ssoserverSign.crt
    export _SSO_SIGNING_LEAF_CERT_KEY=/etc/vmware-sso/keys/ssoserverSign.key

    $JAVA_BIN -cp $CLASSPATH com.vmware.identity.installer.STSInstaller --install --root-cert-path "$_SSO_ROOT_CERT_X509" --cert-path "$_SSO_SIGNING_LEAF_CERT_X509" --private-key-path "$_SSO_SIGNING_LEAF_CERT_KEY"

     
  2. After you see the message Successfully installed VMware STS , reboot VCSA to ensure IDM/STS references the changed certificate and to allow the other services (VC, IS, NGC) to pick up this change.


Additional Information

In vSphere 5.1, the Secure Token Service (STS) certificate was replaceable with a custom certificate.
In vSphere 5.5, default STS Certificate is no longer replaceable.
Recovering from expired SSL Certificates in VMware vCenter Server 5.5
vSphere Web Client へのログインが次のエラーで失敗する: The login request has expired due to a clock synchronization issue between vSphere Web Client and vCenter Single Sign-On server