Login to vCenter Server with External Identity Providers for SSO account stops working
search cancel

Login to vCenter Server with External Identity Providers for SSO account stops working

book

Article ID: 378474

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • An external identity provider for federated authentication can be configured in vCenter.

    vSphere 8.0 Update 1 and later supports Okta. vSphere 8.0 Update 2 and later supports Microsoft Entra ID (formerly called Azure AD). Starting in vSphere 8.0 Update 3, vSphere supports PingFederate.

  • While logging in to vCenter Server with External SSO account, the following error is thrown:

"Error: Workspace ONE Access encountered an error. Contact your admin and provide the information displayed below" 

  • Restarting vCenter Server services temporary solves the issue. 

  • A similar line can be found in log file /var/log/vmware/vc-ws1a-broker/token-service.log: 
    YYYY-MM-DDTHH:MM:SS ERROR XXXXX.XXXXX.XXXXX:token (vert.x-eventloop-thread-1) [-;-;127.0.0.1;d6ef8ccf-c7cd-4798-83b5-8dbfc492b7e8;-] io.vertx.ext.web.RoutingContext - Unhandled exception in router java.lang.OutOfMemoryError: Java heap space


    Or /var/log/vmware/vc-ws1a-broker/accesscontrol-service.log:

    YYYY-MM-DDTHH:MM:SS ERROR YYYYY.YYYYY.YYYYY:accesscontrol (ForkJoinPool-10-worker-7) [HWS;-;127.0.0.1;cda649a0-1002-4816-a3ee-ecc08f5b84b8;-;-;-] io.vertx.ext.web.RoutingContext - Unhandled exception in router java.lang.ClassCastException: class java.lang.OutOfMemoryError cannot be cast to class com.vmware.vidm.common.exception.MultiFormattableRuntimeException (java.lang.OutOfMemoryError is in module java.base of loader 'bootstrap'; com.vmware.vidm.common.exception.MultiFormattableRuntimeException is in unnamed module of loader 'app')


 

Environment

  • vCenter Server 8.0 

Cause

This issue is happening during a token revocation schedule. When the process runs, it pulls entries from the DB with a default page size.
This causes the Out Of Memory.
This issue also occurs when external SSO is not configured.

Resolution

This issue is resolved in vCenter Server 9.0. Prior to upgrading to vCenter Server 9.0, the following workaround can be applied:

1. Take a snapshot of vCenter

Broadcom recommends to have an offline snapshot (virtual machine powered off) of all nodes in the same SSO domain in Enhanced Linked Mode (ELM) before any activity that will include changes in the vCenter Server.
Please refer to VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice

2.  Identify most recent token/config/application.properties file

#cd /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots

#find -iname application.properties -printf "%c %p\n" | grep token

Output would be similar to 

Tue Mar 13 13:01:07.2030410030 2025 ./11/fs/opt/vmware/idm/initc/services/token/config/application.properties
 Tue Mar 17 12:10:27.7020400234 2026 ./12/fs/opt/vmware/idm/initc/services/token/config/application.properties
  Tue Mar 17 12:10:27.7020410000 2026 ./33/fs/opt/vmware/idm/initc/services/token/config/application.properties

 

3.  Backup application.properties from the highest snapshot number from the previous command  ./XX/fs/opt/vmware/idm/initc/services/token/config/application.properties  (in the previous example XX would be 33) Note there is only a tiny fraction of a second difference between 12 and 33.

#cp ./XX/fs/opt/vmware/idm/initc/services/token/config/application.properties /var/core/application.properties

 

4. Edit ./XX/fs/opt/vmware/idm/initc/services/token/config/application.properties

#vi ./XX/fs/opt/vmware/idm/initc/services/token/config/application.properties

 

5. Add the following lines in bold under token configuration

it would be similar to:

## Token configuration
token.revocation.check.source=local
token.public.key.source=remote_crypto

token.delete.expired.tokens.limit=100
revocation.delete.old.tombstones.limit=100
revoke.by.oauthclientid.batch.size=500

 

6.  Restart broker service

#service-control --restart vc-ws1a-broker

Note:

If you check the status after restart, run the command below and review the HealthState status:

#vmon-cli -s vc-ws1a-broker
--------
Example)
[email protected] [ ~ ]# vmon-cli -s vc-ws1a-broker

Name: vc-ws1a-broker
Starttype: AUTOMATIC
RunState: STARTED
RunAsUser: root
CurrentRunStateDuration(ms): XXXX
HealthState: HEALTHY
FailStop: N/A
MainProcessId: YYYY
--------

7. Remove/consolidate vCenter snapshot(s).

Additional Information

SSO アカウントの外部 ID プロバイダを使用した vCenter Server へのログインが機能しなくなる

Powered by Wolken Software