vSphere Client reports "HTTP Error Code: 403, Status BadResponse, sub status: Issuer not trusted" during login or logout
Article ID: 322363
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Issue/Introduction
- Recently installed or upgraded a 6.5 or 6.7 PSC HA setup behind a Load Balancer in SSL Passthrough mode
- Intermittently during login or logout, the below message is thrown in the vsphere client screen
"[400] An error occurred while processing the authentication response vCenter Single Sign-on server. Details: HTTP Error Code: 403, Status: BadResponse, sub status: Issuer not trusted"
- If either one of the PSCs in the Load Balancer pool are disabled, the error is no more seen
- The vsphere_client_virgo.log log on the vCenter shows the below error during the issue:
[YYYY-MM-DDTHH:MM:SSZ] [ERROR] http-nio-5090-exec-3 70010948 104297 ###### com.vmware.identity.websso.client.endpoint.SloListener Logout Response validation failed. Exception: com.vmware.identity.websso.client.WebssoClientException: Uknown IDP configuration. IDP entity ID = : https://<psc_fqdn>/websso/SAML2/Metadata/vsphere.local
Environment
VMware vCenter Server 6.7.x
VMware vSphere 6.7.x
VMware vSphere 6.7.x
Cause
When PSCs are in HA configuration, the Service Registration Endpoints for the Load Balancer has to be updated in the VMDir of both PSCs. This is documented in article Configuring PSC Appliance for High Availability in vSphere 6.5/6.7 and is mandatory to perform post an upgrade of the PSCs, for e.g. from 6.5 to 6.7.
If the above steps are not performed, the vCenter login or logout would report the "issuer error.not trusted"
Resolution
Follow the article Configuring PSC Appliance for High Availability in vSphere 6.5/6.7 and complete the "Configuring Platform Service Controller HA in vSphere 6.7" steps.
Feedback
Yes
No
Powered by
