Couldn't establish a connection to the VM web console from vSphere Client
search cancel

Couldn't establish a connection to the VM web console from vSphere Client

book

Article ID: 374599

calendar_today

Updated On:

Products

VMware vCenter Server 7.0 VMware vCenter Server 8.0

Issue/Introduction

  • Unable to launch the console for VMs from the vCenter server it gives a blank page with error: Couldn't establish a connection to the VM web console

  • Able to open RDP sessions to VMs and also can launch the VM console from the ESXi host UI login

There are 2 possible scenarios to encountering this issue.

Scenario A:

Observe Global.Proxy privilege missing error within log:

/var/log/vmware/rhttpproxy/rhttpproxy-xx.log 

2024-07-28T15:00:38.169Z error rhttpproxy[03983] [Originator@6876 sub=RhttpProxy] [Rhttpproxy JWT] Missing privilege! Global.Proxy is required.
2024-07-28T15:00:38.169Z error rhttpproxy[03983] [Originator@6876 sub=RhttpProxy] [Rhttpproxy REST PUT Handler] JWT verification failed
2024-07-28T15:00:38.178Z error rhttpproxy[03947] [Originator@6876 sub=RhttpProxy] [Rhttpproxy JWT] Missing privilege! Global.Proxy is required.
2024-07-28T15:00:38.178Z error rhttpproxy[03947] [Originator@6876 sub=RhttpProxy] [Rhttpproxy REST PUT Handler] JWT verification failed

/var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log

[2024-07-28T15:00:39.666Z] [ERROR] -nio-127.0.0.1-5090-exec-997 70148618 103212 200173 c.v.v.r.restclient.impl.EnvoyVapiRequestExecutorServiceImpl Couldn't execute request to reverse proxy REST API. Known eTag = 0 java.lang.RuntimeException: Route wasn't added to any listeners.
        at com.vmware.vise.vim.messaging.webconsole.WebconsoleRequestHandler.lambda$handleRequest$0(WebconsoleRequestHandler.java:246)

 

Scenario B:

/var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log shows error related to Token is in the past:

[2024-11-07T14:28:28.045Z] [ERROR] nio-127.0.0.1-5090-exec-3672 70124732 109469 200245 c.v.v.r.restclient.impl.EnvoyVapiRequestExecutorServiceImpl       Error obtaining JWT for the vsphere-ui service principal. com.vmware.vcenter.tokenservice.InvalidGrant: InvalidGrant (com.vmware.vcenter.tokenservice.invalid_grant) => {
    messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
    id = com.vmware.vcenter.tokenservice.exceptions.InvalidGrant,
    defaultMessage = Invalid SUBJECT token: tokenType=SAML2,
    args = [],
    params = <null>,
    localized = <null>
}, LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
    id = com.vmware.identity.saml.InvalidTokenException,
    defaultMessage = Token expiration date: Fri Nov 01 15:19:08 GMT 2024 is in the past.,

/var/log/vmware/sso/tokenservice.log shows similar error that the token is in the past:

2024-11-07T14:28:28.007Z INFO tokenservice[61:tomcat-http--23] [CorId=c609d949-840f-4460-b795-e62578d89408 OpId=##] [com.vmware.identity.token.impl.SamlTokenImpl] Token expiration date: Fri Nov 08 03:36:46 GMT 2024 is in the past.
2024-11-07T14:28:28.009Z ERROR tokenservice[61:tomcat-http--23] [CorId=c609d949-840f-4460-b795-e62578d89408 OpId=] [com.vmware.vcenter.tokenservice.vapi.TokenExchangeProviderImpl] Exchange failed due to invalid grant:
com.vmware.vcenter.tokenservice.exceptions.InvalidGrant: Invalid SUBJECT token: tokenType=SAML2

Environment

vCenter Server 7.x

vCenter Server 8.x 

Cause

Scenario A: 

Global.Proxy privilege is not enabled for the role named "vSphere Client Service Account".

Scenario B:

Token trustworthiness clock tolerance is set to a larger value from default.  The default value is  600000 milliseconds

The vsphere client gets a solution user token from the SSO service when the vsphere-ui service starts.  If this value is set to, as an example 600,000 seconds instead of milliseconds, the service does not take this value into account and thus the token can expire.

Resolution

Scenario A:

Enable the missing Global.Proxy privilege for the "vSphere Client Service Account" role by following the steps below to resolve the VM console issue.

  • Open the browser and login to the vCenter Server webclient using SSO Administrator eg: [email protected]
  • Navigate to Administration >Access Control > Roles
  • Select vSphere Client Service Account and click on edit.
  • Navigate to the Global section and select the Proxy option as mentioned below:

  • After enabling the privilege, we will be able to launch the VM console from the vCenter Server UI.

Scenario B:

Within vsphere client, modify the Token Trustworthiness Clock Tolerance value to default setting of 600000 milliseconds.

  1. Launch vSphere Client
  2. Menu > Administration
  3. Under Single Sign On > Configuration
  4. Choose Local accounts tab.
  5. Under Token Trustworthiness, Click Edit
  6. Change Clock Tolerance to default value of 600000 milliseconds.
  7. Restart vsphere-ui service
    • Open an SSH session to the vCenter appliance
    • Once logged in run the command service-control --restart vsphere-ui

Powered by Wolken Software