NSX-T login with vIDM fails with: "Unauthorized","error_code":98"
search cancel

NSX-T login with vIDM fails with: "Unauthorized","error_code":98"

book

Article ID: 322543

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • vIDM is used to login to the NSX-T managers.
  • You have recently upgraded to 3.2.2.
  • After the upgrade, you are unable to login using a vIDM account and are presented with the following error:
"Unauthorized","error_code":98"
  • If you then open a new tab, it may allow you to login.
  • The following error may be seen in log: /var/log/proxy/reverse-proxy.log
2023-01-06T06:02:38.247Z  INFO grpc-default-executor-124 HttpClientUtil 77154 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Making request to http://127.0.0.1:6565/vidm-oauth2-login?error=access_denied&state=0VPoLq
2023-01-06T06:02:38.250Z  INFO Processing request 76b27b59-8d98-####-####-########7a8 CustomOAuth2AuthorizationRequestRedirectFilter 77154 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] OAuth2AuthorizationRequestRedirectFilter will be bypassed
2023-01-06T06:02:38.502Z  INFO grpc-default-executor-124 HttpClientUtil 77154 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Request executed, response = HttpResponseProxy{HTTP/1.1 401  [Set-Cookie: JSESSIONID=FF10xxxxxxxx1238; Path=/; Secure; HttpOnly; SameSite=Strict, Cache-Control: no-cache, no-store, max-age=0, must-revalidate, Pragma: no-cache, Expires: 0, X-XSS-Protection: 1; mode=block, X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff, Content-Type: application/json;charset=UTF-8, Content-Length: 79, Date: Fri, 06 Jan 2023 06:02:38 GMT, Keep-Alive: timeout=60, Connection: keep-alive] ResponseEntityProxy{[Content-Type: application/json;charset=UTF-8,Content-Length: 79,Chunked: false]}}

 

Note: The above line is not always an indication you are encountering this issue, it may be due to other reasons.

  • As root user on the NSX-T managers, checking the file '/opt/vmware/proxy-tomcat/conf/context.xml' you will see the following entry:

<CookieProcessor sameSiteCookies="strict" />



Environment

VMware NSX-T Data Center

Cause

A issue occurred due to some changes made on these versions which prevents vIDM redirect from occurring correctly.

Resolution

This is a known issue impacting NSX and NSX-T data center.

Workaround:
 
On each NSX-T manager do the following:
 
Login as root
cp /opt/vmware/proxy-tomcat/conf/context.xml /root/context.xml.bak
vi /opt/vmware/proxy-tomcat/conf/context.xml
Remove line 14: <CookieProcessor sameSiteCookies="strict" />
systemctl restart proxy
 
Note:
 
  • Restarting the service proxy, will impact your ability to connect to the manager until the service completes the restart.
  • Repeat the steps on all three managers, one by one.
  • These changes are localized to the NSX-T manager, if a manager is replaced, you will need to apply the changes again.


Powered by Wolken Software