HCX plugin not working in vCenter UI, Error "Http failure response <url> 401 OK"
search cancel

HCX plugin not working in vCenter UI, Error "Http failure response <url> 401 OK"

book

Article ID: 375625

calendar_today

Updated On:

Products

VMware HCX VMware Cloud on AWS

Issue/Introduction

  • When attempting to use the HCX Plugin via vCenter Server UI, the error below is displayed: 
    Http failure response for https://<vc-ip/fqdn>/plugins/com.vmware.hcx.plugin~4.10.0.24144741~-374630034/<hcx-ip/fqdn>-443/vsphere-client/ui/hcx/hcx-ui/rest/hybridity/api/sessions: 401 OK 



  • The following error is displayed in the /common/logs/httpd/access.log: 
    <VC-IP> - - [27/Aug/2024:02:15:45 +0000] "POST /vsphere-client/ui/hcx/hcx-ui/rest/hybridity/api/sessions HTTP/1.1" 401 121 6868
  • The following error is displayed in the /common/logs/admin/web.log 
    2024-08-27 02:15:52.141 UTC [https-jsse-nio-127.0.0.1-8443-exec-6, , , TxId: ] INFO  c.v.vchs.hybridity.api.LoginUtil- SSO Admin URL : https://<vc-ip/fqdn>/sso-adminserver/sdk/vsphere.local, username : VSPHERE.LOCAL\Administrator
    2024-08-27 02:15:52.590 UTC [https-jsse-nio-127.0.0.1-8443-exec-6, , , TxId: ] INFO  c.v.i.token.impl.SamlTokenImpl- SAML token for SubjectNameId [value=<account-used-to-register-VC-with-HCX>, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from XML
    2024-08-27 02:15:52.702 UTC [https-jsse-nio-127.0.0.1-8443-exec-6, , , TxId: ] ERROR c.v.v.h.a.AccessTokenRestController- Failed to fetch NSP roles
    com.vmware.vim.sso.admin.exception.NoPermissionException: null
  • In some instances, you may see an incorrect PSC name being provided to HCX :
    2025-02-12 13:06:51.687 UTC [https-jsse-nio-8443-exec-10, , , TxId: ] ERROR c.v.v.h.a.HybridityAuthenticationEntryPoint- Sending Response Error 401 for /hybridity/api/sessions
    2025-02-12 13:08:36.836 UTC [https-jsse-nio-8443-exec-8, , , TxId: ] INFO  c.v.vchs.hybridity.api.LoginUtil- SSO Admin URL : https://<vcenter fqdn>/sso-adminserver/sdk/vsphere.local, username : VSPHERE.LOCAL\Administrator
    2025-02-12 13:08:42.039 UTC [Timer-0, , , TxId: ] INFO  c.v.v.h.a.SessionPurgingMapSessionRepository- Started Purging session. Current Map count 0
    2025-02-12 13:09:30.498 UTC [https-jsse-nio-8443-exec-9, , , TxId: ] INFO  c.v.vchs.hybridity.api.LoginUtil- SSO Admin URL : https://<stale PSC FQDN>/sso-adminserver/sdk/vsphere.local, username : VSPHERE.LOCAL\Administrator
    2025-02-12 13:09:45.078 UTC [https-jsse-nio-8443-exec-8, , , TxId: ] ERROR c.v.v.h.adapters.sts.StsAdapter- STS login error: {    "status": "FAILURE",    "failure": "ConnectTimeoutException",    "details": "org.apache.http.conn.ConnectTimeoutException: Connect to <stale PSC FQDN>:443 [<stale PSC FQDN>\/#.#.#.#] failed: connect timed out
  • The below time synchronization messages may also be seen in web.log:

    Location: /common/logs/admin/web.log
    2025-02-07 12:43:33.385 UTC [https-jsse-nio-8443-exec-2, , , TxId: ] ERROR c.v.v.h.adapters.sts.StsAdapter- STS login error: {    "status": "SUCCESS",    "statusCode": 500,    "reason": "Internal Server Error",    "headers": [        {            "content-type": "text\/xml;charset=utf-8"        },        {            "date": "Fri, 07 Feb 2025 12:24:38 GMT"        },        {            "x-envoy-upstream-service-time": "3"        },        {            "vary": "Accept-Encoding"        },        {            "transfer-encoding": "chunked"        }    ],    "cookies": [],    "result": "<?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S=\"http:\/\/schemas.xmlsoap.org\/soap\/envelope\/\"><S:Body><S:Fault xmlns:ns4=\"http:\/\/www.w3.org\/2003\/05\/soap-envelope\"><faultcode xmlns:ns0=\"http:\/\/docs.oasis-open.org\/wss\/2004\/01\/oasis-200401-wss-wssecurity-secext-1.0.xsd\">ns0:MessageExpired<\/faultcode><faultstring>The time now Fri Feb 07 12:24:38 GMT 2025 does not fall in the request lifetime interval extended with clock tolerance of 600000 ms: [ Fri Feb 07 12:33:33 GMT 2025; Fri Feb 07 13:03:33 GMT 2025). This might be due to a clock skew problem.<\/faultstring><\/S:Fault><\/S:Body><\/S:Envelope>"}2025-02-07 12:43:33.389 UTC [https-jsse-nio-8443-exec-2, , , TxId: ] ERROR c.v.v.h.a.AccessTokenRestController- Auth Failure: Time desync. Check NTP health. HCX time: 2025-02-07T12:43:33.388Z

Environment

HCX
vCenter Server

Cause

The account used to register vCenter via the HCX Admin UI was not part of the vSphere Administrators group, resulting in a 401 error being displayed on the UI.

This issue can also be encountered if vCenter is in linked-mode. The HCX Connector appliance is only registered to a single vCenter and is not automatically usable from any linked vCenter.

It may also be encountered if a PSC or vCenter has been decommissioned incorrectly. This can be confirmed by using the lsdoctor tool and the -l flag.

Using the 'lsdoctor' Tool

The time sync messaging will be displayed in the app.log when the vCenter time does not fall within 60 seconds (60000ms).

Resolution

Add the user to the Administrators group, or modify the HCX configuration to use a user that is already part of the Administrators group.

  • To update or modify the account used by HCX, access the appliance management interface at https://<hcx-ip-or-fqdn>:9443 and navigate to Configuration -> vCenter Server, and click on 'Edit':




  • Restart the Appliance Management and Web Management from "Appliance Summary" page.
  • Log out and then log back into the vCenter UI.



To resolve the stale entry issue on vCenter take an offline backup of all VC's in the ELM and perform the steps below in order:

  • Run lsdoctor --stalefix 
  • Re-run lsdoctor -l  (If the stale PSC is still present, continue to the next step. Else, logout of VC UI and attempt to use the HCX plugin)
  • Run the following command from the VC HCX-MGR is connected to: cmsso-util unregister --node-pnid <stale-node-pnid/fqdn> --username [email protected]
    • Services will automatically be restarted. There may be some error/failure messages that show during the execution of this command; however, wait until services are restarted. Do not interrupt the command.
  • Verify the stale entry has been removed: lsdoctor -l

To resolve the time sync issue, check if HCX and vCenter are in sync with the specified NTP servers. Sometimes, VC can be configured to sync with ESXi rather than a specific NTP server. If so, verify that the NTP server is reachable and in sync with the ESXi host VC currently running. 

Additional Information

The account used to register vCenter via HCX Admin UI page must belong to the vSphere administrators group and have the administrator role assigned.
For more information, check HCX Manager User Account and Role Requirements

Powered by Wolken Software