Symptoms:

When using embedded vRealize Orchestrator (vRO), logging in directly to vRO the following issues occur

• User logs into Service Broker then attempts to view catalog items and sees an error similar to

  Internal Server Error [Error Reference ID: GUID] error

• IPAM allocation fails with

  Error: IP ALLOCATE failed: Failed to obtain auth credentials from /core/auth/credentials/0961b0e9-5d57-8c8c-9fbb33c4f7dc: {'content': b'ClientResponse has erroneous status code: 404 Not Found. WebClientServiceResponseException.ErrorDetails

VMware vRealize Automation 8.7.x
VMware vRealize Automation 8.8.x
VMware vRealize Automation 8.9.x

vRO logins does not store the accessToken within the sessionService. vRO and vRA both store access tokens in the browser cookies with one and the same key: csp-auth-token. As a result, once a user logs in through vRO and switches to vRA or have vRA opened in a new tab, then vRA uses the accessToken which was generated by vRO login flow (taken from the cookies). That token is not stored within the session-service at all because vRO login flow does not call session-service.

The issue is most commonly found in the IPAM IP allocation logic when IPAM tries to access the token from the session-service. This also causes visibility problems in the case where the user is not a Cloud Admin when the user token is not stored in session-service DB and user groups cannot be retrieved.

Note: This issue can appear in other situations unrelated to IPAM integrations.

This issue is resolved in VMware vRealize Automation 8.10.0 and above.

Workaround:
The user should logout and close all open browser tabs then login directly to vRA using the following URL: https://vraFQDN

Impact/Risks:
No changes are required after upgrading to vRA 8.10.0 and above.