HTML5 UI will not be accessible through NAT IP of VCSA
Article ID: 336070
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
- In HTML 5 UI, you will see "Failed to process WebSSO metadata: Invalid SP alias".
- In /var/log/vmware/vsphere-ui/vsphere_client_virgo.log, you will see following error message
[2018-10-10T12:34:01.889Z] [ERROR] http-nio-5090-exec-8 70002071 100093 ###### com.vmware.vsphere.client.security.websso.MetadataGeneratorImpl Failed to process WebSSO metadata java.lang.IllegalArgumentException: Invalid SP alias.
at com.vmware.vsphere.client.security.websso.MetadataGeneratorImpl.getSPConfiguration(MetadataGeneratorImpl.java:372)
at com.vmware.vsphere.client.security.websso.MetadataGeneratorImpl.processMetadata(MetadataGeneratorImpl.java:304)
at sun.reflect.GeneratedMethodAccessor1127.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:207)
at com.sun.proxy.$Proxy279.processMetadata(Unknown Source)
at com.vmware.vsphere.client.security.websso.WebssoLoginRequestHandler.handleRequest(WebssoLoginRequestHandler.java:58)
at com.vmware.vsphere.client.security.websso.MetadataGeneratorImpl.getSPConfiguration(MetadataGeneratorImpl.java:372)
at com.vmware.vsphere.client.security.websso.MetadataGeneratorImpl.processMetadata(MetadataGeneratorImpl.java:304)
at sun.reflect.GeneratedMethodAccessor1127.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:207)
at com.sun.proxy.$Proxy279.processMetadata(Unknown Source)
at com.vmware.vsphere.client.security.websso.WebssoLoginRequestHandler.handleRequest(WebssoLoginRequestHandler.java:58)
Environment
VMware vCenter Server 6.7.x
Cause
The issue occurs when the H5C application is accessed by a client through a non-transparent network intermediary, such as NAT. In this case the server name part of the request is the address of the intermediary, which cannot be registered as a service provider alias in SSO. Consequently, all login attempts, except those made by accessing H5C by FQDN, fail because service provider registration is rejected. This was originally done for security reasons. However, there might be real-world deployment scenarios where a VC/H5C is part of a private network and its IP address is not visible from outside.
Resolution
To resolve the issue,
- SSH to the VC machine and edit /etc/vmware/vsphere-ui/webclient.properties.
- Look for the property named sso.serviceprovider.alias.whitelist.
- Remove the comment from the property and add the IP address of the NAT router,
sso.serviceprovider.alias.whitelist=<NAT-router-IP>.
- Restart the H5 client service.
Feedback
Yes
No
Powered by
