vSphere Client reports "HTTP Error Code: 403, Status BadResponse, sub status: Issuer not trusted" during login or logout
search cancel

vSphere Client reports "HTTP Error Code: 403, Status BadResponse, sub status: Issuer not trusted" during login or logout

book

Article ID: 322363

calendar_today

Updated On: 05-28-2025

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

  • Recently installed or upgraded a 6.5 or 6.7 PSC HA setup behind a Load Balancer in SSL Passthrough mode
  • Intermittently during login or logout, the below message is thrown in the vsphere client screen 
"[400] An error occurred while processing the authentication response vCenter Single Sign-on server. Details: HTTP Error Code: 403, Status: BadResponse, sub status: Issuer not trusted"
  • If either one of the PSCs in the Load Balancer pool are disabled, the error is no more seen
  • The vsphere_client_virgo.log log on the vCenter shows the below error during the issue:
[YYYY-MM-DDTHH:MM:SSZ] [ERROR] http-nio-5090-exec-3         70010948 104297 ###### com.vmware.identity.websso.client.endpoint.SloListener            Logout Response validation failed. Exception: com.vmware.identity.websso.client.WebssoClientException: Uknown IDP configuration. IDP entity ID = : https://<psc_fqdn>/websso/SAML2/Metadata/vsphere.local



Environment

VMware vCenter Server 6.7.x
VMware vSphere 6.7.x

Cause

When PSCs are in HA configuration, the Service Registration Endpoints for the Load Balancer has to be updated in the VMDir of both PSCs. This is documented in article Configuring PSC Appliance for High Availability in vSphere 6.5/6.7 and is mandatory to perform post an upgrade of the PSCs, for e.g. from 6.5 to 6.7.
 

If the above steps are not performed, the vCenter login or logout would report the "issuer not trusted" error.

Resolution

Follow the article Configuring PSC Appliance for High Availability in vSphere 6.5/6.7 and complete the "Configuring Platform Service Controller HA in vSphere 6.7" steps.