Http failure response for https://<vc-ip/fqdn>/plugins/com.vmware.hcx.plugin~4.10.0.24144741~-374630034/<hcx-ip/fqdn>-443/vsphere-client/ui/hcx/hcx-ui/rest/hybridity/api/sessions: 401 OK
The following errors may be observed:
/common/logs/httpd/access.log
<VC-IP> - - [27/Aug/2024:02:15:45 +0000] "POST /vsphere-client/ui/hcx/hcx-ui/rest/hybridity/api/sessions HTTP/1.1" 401 121 6868
/common/logs/admin/web.log
####-##-## ##:##:##.### UTC [https-jsse-nio-127.0.0.1-8443-exec-6, , , TxId: ] INFO c.v.vchs.hybridity.api.LoginUtil- SSO Admin URL : https://<vc-ip/fqdn>/sso-adminserver/sdk/vsphere.local, username : VSPHERE.LOCAL\Administrator
####-##-## ##:##:##.### UTC [https-jsse-nio-127.0.0.1-8443-exec-6, , , TxId: ] INFO c.v.i.token.impl.SamlTokenImpl- SAML token for SubjectNameId [value=<account-used-to-register-VC-with-HCX>, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from XML
####-##-## ##:##:##.### UTC [https-jsse-nio-127.0.0.1-8443-exec-6, , , TxId: ] ERROR c.v.v.h.a.AccessTokenRestController- Failed to fetch NSP roles
com.vmware.vim.sso.admin.exception.NoPermissionException: null
/common/logs/admin/web.log
:####-##-## ##:##:##.### UTC [https-jsse-nio-8443-exec-10, , , TxId: ] ERROR c.v.v.h.a.HybridityAuthenticationEntryPoint- Sending Response Error 401 for /hybridity/api/sessions
####-##-## ##:##:##.### UTC [https-jsse-nio-8443-exec-8, , , TxId: ] INFO c.v.vchs.hybridity.api.LoginUtil- SSO Admin URL : https://<vcenter fqdn>/sso-adminserver/sdk/vsphere.local, username : VSPHERE.LOCAL\Administrator
####-##-## ##:##:##.### UTC [Timer-0, , , TxId: ] INFO c.v.v.h.a.SessionPurgingMapSessionRepository- Started Purging session. Current Map count 0
####-##-## ##:##:##.### UTC [https-jsse-nio-8443-exec-9, , , TxId: ] INFO c.v.vchs.hybridity.api.LoginUtil- SSO Admin URL : https://<stale PSC FQDN>/sso-adminserver/sdk/vsphere.local, username : VSPHERE.LOCAL\Administrator
####-##-## ##:##:##.### UTC [https-jsse-nio-8443-exec-8, , , TxId: ] ERROR c.v.v.h.adapters.sts.StsAdapter- STS login error: { "status": "FAILURE", "failure": "ConnectTimeoutException", "details": "org.apache.http.conn.ConnectTimeoutException: Connect to <stale PSC FQDN>:443 [<stale PSC FQDN>\/#.#.#.#] failed: connect timed out
####-##-## ##:##:##.### UTC [https-jsse-nio-8443-exec-2, , , TxId: ] ERROR c.v.v.h.adapters.sts.StsAdapter- STS login error: {
"status": "FAILURE",
"failure": "NoRouteToHostException",
/common/logs/admin/web.log
:####-##-## ##:##:##.### UTC [https-jsse-nio-8443-exec-2, , , TxId: ] ERROR c.v.v.h.adapters.sts.StsAdapter- STS login error: { "status": "SUCCESS", "statusCode": 500, "reason": "Internal Server Error", "headers": [ { "content-type": "text\/xml;charset=utf-8" }, { "date": "Fri, 07 Feb 2025 12:24:38 GMT" }, { "x-envoy-upstream-service-time": "3" }, { "vary": "Accept-Encoding" }, { "transfer-encoding": "chunked" } ], "cookies": [], "result": "<?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S=\"http:\/\/schemas.xmlsoap.org\/soap\/envelope\/\"><S:Body><S:Fault xmlns:ns4=\"http:\/\/www.w3.org\/2003\/05\/soap-envelope\"><faultcode xmlns:ns0=\"http:\/\/docs.oasis-open.org\/wss\/2004\/01\/oasis-200401-wss-wssecurity-secext-1.0.xsd\">ns0:MessageExpired<\/faultcode><faultstring>The time now Fri Feb 07 12:24:38 GMT 2025 does not fall in the request lifetime interval extended with clock tolerance of 600000 ms: [ Fri Feb 07 12:33:33 GMT 2025; Fri Feb 07 13:03:33 GMT 2025). This might be due to a clock skew problem.<\/faultstring><\/S:Fault><\/S:Body><\/S:Envelope>"}2025-02-07 12:43:33.389 UTC [https-jsse-nio-8443-exec-2, , , TxId: ] ERROR c.v.v.h.a.AccessTokenRestController- Auth Failure: Time desync. Check NTP health. HCX time: 2025-02-07T12:43:33.388Z
HCX
vCenter Server
The account used to register vCenter via the HCX Admin UI was not part of the vSphere Administrators group, resulting in a 401 error being displayed on the UI.
This issue can also be encountered if vCenter is in linked-mode. The HCX Connector appliance is only registered to a single vCenter and is not automatically usable from any linked vCenter.
It may also be encountered if a PSC or vCenter has been decommissioned incorrectly. This can be confirmed by using the lsdoctor tool and the -l flag.
Using the 'lsdoctor' Tool
The time sync messaging will be displayed in the app.log when the vCenter time does not fall within 60 seconds (60000ms).
Add the user to the Administrators group, or modify the HCX configuration to use a user that is already part of the Administrators group.
https://<hcx-ip-or-fqdn>:9443
and navigate to Configuration -> vCenter Server
, and click on 'Edit
':Appliance Summary
" page.To remove stale PSC entries on vCenter take an offline backup of all VC's in ELM and perform the steps below in order:
lsdoctor --stalefix
lsdoctor -l
(If the stale PSC is still present, continue to the next step. Else, logout of VC UI and attempt to use the HCX plugin)cmsso-util unregister --node-pnid <stale-node-pnid/fqdn> --username administrator@vsphere.local
lsdoctor -l
To resolve the time sync issue, check if HCX and vCenter are in sync with the specified NTP servers. Sometimes, VC can be configured to sync with ESXi rather than a specific NTP server. If so, verify that the NTP server is reachable and in sync with the ESXi host VC currently running.
The account used to register vCenter via HCX Admin UI page must belong to the vSphere administrators group and have the administrator role assigned.
For more information, check HCX Manager User Account and Role Requirements