NSX-T login with vIDM fails with: "Unauthorized","error_code":98"
Article ID: 322543
Updated On:
Products
VMware NSX Networking
Issue/Introduction
Symptoms:
- vIDM is used to login to the NSX-T managers.
- You have recently upgraded to 3.2.2.
- After the upgrade, you are unable to login using a vIDM account and are presented with the following error:
"Unauthorized","error_code":98"
- If you then open a new tab, it may allow you to login.
- The following error may be seen in log: /var/log/proxy/reverse-proxy.log
2023-01-06T06:02:38.247Z INFO grpc-default-executor-124 HttpClientUtil 77154 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Making request to http://127.0.0.1:6565/vidm-oauth2-login?error=access_denied&state=0VPoLq
2023-01-06T06:02:38.250Z INFO Processing request 76b27b59-8d98-41db-b972-0fb255bec7a8 CustomOAuth2AuthorizationRequestRedirectFilter 77154 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] OAuth2AuthorizationRequestRedirectFilter will be bypassed
2023-01-06T06:02:38.502Z INFO grpc-default-executor-124 HttpClientUtil 77154 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Request executed, response = HttpResponseProxy{HTTP/1.1 401 [Set-Cookie: JSESSIONID=FF10xxxxxxxx1238; Path=/; Secure; HttpOnly; SameSite=Strict, Cache-Control: no-cache, no-store, max-age=0, must-revalidate, Pragma: no-cache, Expires: 0, X-XSS-Protection: 1; mode=block, X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff, Content-Type: application/json;charset=UTF-8, Content-Length: 79, Date: Fri, 06 Jan 2023 06:02:38 GMT, Keep-Alive: timeout=60, Connection: keep-alive] ResponseEntityProxy{[Content-Type: application/json;charset=UTF-8,Content-Length: 79,Chunked: false]}}
2023-01-06T06:02:38.250Z INFO Processing request 76b27b59-8d98-41db-b972-0fb255bec7a8 CustomOAuth2AuthorizationRequestRedirectFilter 77154 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] OAuth2AuthorizationRequestRedirectFilter will be bypassed
2023-01-06T06:02:38.502Z INFO grpc-default-executor-124 HttpClientUtil 77154 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Request executed, response = HttpResponseProxy{HTTP/1.1 401 [Set-Cookie: JSESSIONID=FF10xxxxxxxx1238; Path=/; Secure; HttpOnly; SameSite=Strict, Cache-Control: no-cache, no-store, max-age=0, must-revalidate, Pragma: no-cache, Expires: 0, X-XSS-Protection: 1; mode=block, X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff, Content-Type: application/json;charset=UTF-8, Content-Length: 79, Date: Fri, 06 Jan 2023 06:02:38 GMT, Keep-Alive: timeout=60, Connection: keep-alive] ResponseEntityProxy{[Content-Type: application/json;charset=UTF-8,Content-Length: 79,Chunked: false]}}
Note: The above line is not always an indication you are encountering this issue, it may be due to other reasons.
-
As root user on the NSX-T managers, checking the file '/opt/vmware/proxy-tomcat/conf/context.xml' you will see the following entry:
<CookieProcessor sameSiteCookies="strict" />
Environment
VMware NSX-T Data Center
Cause
A issue occurred due to some changes made on these versions which prevents vIDM redirect from occurring correctly.
Resolution
This is a known issue impacting NSX and NSX-T data center.
Workaround:
On each NSX-T manager do the following:
Workaround:
On each NSX-T manager do the following:
Login as root
cp /opt/vmware/proxy-tomcat/conf/context.xml /root/context.xml.bak
vi /opt/vmware/proxy-tomcat/conf/context.xml
Remove line 14: <CookieProcessor sameSiteCookies="strict" />
systemctl restart proxy
cp /opt/vmware/proxy-tomcat/conf/context.xml /root/context.xml.bak
vi /opt/vmware/proxy-tomcat/conf/context.xml
Remove line 14: <CookieProcessor sameSiteCookies="strict" />
systemctl restart proxy
Note: Restarting the service proxy, will impact your ability to connect to the manager until the service completes the restart.
Repeat the steps on all three managers, one by one.
These changes are localized to the NSX-T manager, if a manager is replaced, you will need to apply the changes again.
Repeat the steps on all three managers, one by one.
These changes are localized to the NSX-T manager, if a manager is replaced, you will need to apply the changes again.
Feedback
Yes
No
Powered by
