NSX-T login with vIDM fails with: "Unauthorized","error_code":98"
search cancel

NSX-T login with vIDM fails with: "Unauthorized","error_code":98"

book

Article ID: 322543

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:

  • vIDM is used to login to the NSX-T managers.
  • You have recently upgraded to 3.2.2.
  • After the upgrade, you are unable to login using a vIDM account and are presented with the following error:
"Unauthorized","error_code":98"
  • If you then open a new tab, it may allow you to login.
  • The following error may be seen in log: /var/log/proxy/reverse-proxy.log
2023-01-06T06:02:38.247Z  INFO grpc-default-executor-124 HttpClientUtil 77154 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Making request to http://127.0.0.1:6565/vidm-oauth2-login?error=access_denied&state=0VPoLq
2023-01-06T06:02:38.250Z  INFO Processing request 76b27b59-8d98-####-####-########7a8 CustomOAuth2AuthorizationRequestRedirectFilter 77154 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] OAuth2AuthorizationRequestRedirectFilter will be bypassed
2023-01-06T06:02:38.502Z  INFO grpc-default-executor-124 HttpClientUtil 77154 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Request executed, response = HttpResponseProxy{HTTP/1.1 401  [Set-Cookie: JSESSIONID=FF10xxxxxxxx1238; Path=/; Secure; HttpOnly; SameSite=Strict, Cache-Control: no-cache, no-store, max-age=0, must-revalidate, Pragma: no-cache, Expires: 0, X-XSS-Protection: 1; mode=block, X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff, Content-Type: application/json;charset=UTF-8, Content-Length: 79, Date: Fri, 06 Jan 2023 06:02:38 GMT, Keep-Alive: timeout=60, Connection: keep-alive] ResponseEntityProxy{[Content-Type: application/json;charset=UTF-8,Content-Length: 79,Chunked: false]}}

Note: The above line is not always an indication you are encountering this issue, it may be due to other reasons.

  • As root user on the NSX-T managers, checking the file '/opt/vmware/proxy-tomcat/conf/context.xml' you will see the following entry:

<CookieProcessor sameSiteCookies="strict" />



Environment

VMware NSX-T Data Center

Cause

A issue occurred due to some changes made on these versions which prevents vIDM redirect from occurring correctly.

Resolution

This is a known issue impacting NSX and NSX-T data center.

Workaround:
On each NSX-T manager do the following:
Login as root
cp /opt/vmware/proxy-tomcat/conf/context.xml /root/context.xml.bak
vi /opt/vmware/proxy-tomcat/conf/context.xml
Remove line 14: <CookieProcessor sameSiteCookies="strict" />
systemctl restart proxy
Note: Restarting the service proxy, will impact your ability to connect to the manager until the service completes the restart.
Repeat the steps on all three managers, one by one.
These changes are localized to the NSX-T manager, if a manager is replaced, you will need to apply the changes again.