vIDM oAuth Logins to NSX UI timeout unexpectedly within 15-20 minutes
search cancel

vIDM oAuth Logins to NSX UI timeout unexpectedly within 15-20 minutes

book

Article ID: 376715

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

When using oAuth and vIDM to log into NSX, the sessions appear to timeout randomly, between 15-20 minutes.

You will see entries in the log entries in  /var/log/proxy/reverse-proxy.log on the nsx managers similar to this:

2022-03-23T10:47:23.001Z  INFO Processing request ########-####-####-############ OAuth2AuthenticationProvider #### - [nsx@#### comp="nsx-manager" level="INFO" subcomp="http"] Failed to use SAMAccountName, attempting UserPrincipleName: Invalid credentials

 

Environment

NSX with vIDM using oAuth credentials and the Advanced Load Balancer.

Cause

This is due to a bug, where the re-authentication option after the initial token expires was removed.

 

Resolution

Open an SR with Broadcom, mentioning this KB.

Attach to the case:

  1. Version of NSX.
  2. Version of vIDM.
  3. Version of Load Balancer
  4. Version of Vsphere.
  5. Log Bundle from vIDM.
  6. Log Bundle from NSX Manager.
  7. Log Bundle from the Load Balancer.
  8. And finally a log bundle from vCenter with the hosts hosting the edges.

Additional Information

The vIDM user is given an Access Token.  This token has a Time To Live of 15 minutes.  When that time expires the user needs a new Access Token.  This is only possible when refresh_token has specified (note its removal).  When refresh_token is specified then the user can continue to refresh its token until Refresh Token TTL expires.  This is set to 30 days (30*24*60 minutes).

So the problem is that refresh token was removed.  Thus after 15 minutes the user's token cannot be refreshed and re-authentication is required.

The reason for this is that the vIDM server must keep a record of this refresh token in its database.  This would not be overloaded by user login requests, but there are some NSX clients making as many as 100 authentication requests per minute nearly non-stop.