When user attempts to login to SDDC Manager UI, it fails with an authentication error, "You are not authorized to view this page". Upon refresh, it throws "errorCode\":\"IDENTITY_UNAUTHORIZED_ENTITY\",\"arguments\":[],\"message\":\"User is not authorized\",\"referenceToken\"
SDDC Manager logs shows entries similar to
/var/log/vmware/vcf/sddc-manager-ui-app/sddcManagerServer.log
[YYYY-MM-DDTHH:MM:SS] ERROR [3112d76f9e614700] [services/authorization.js, http-post-callback, isAuthorizedUser:68]
500.144: VError: User Authorization failed: 401 - "{\"errorCode\":\"IDENTITY_UNAUTHORIZED_ENTITY\",\"arguments\":[],\"message\":\"User is not authorized\",\"referenceToken\":\"K5IACU\"}"
at Object.authorizationFailedError (/opt/vmware/vcf/sddc-manager-ui-app/server/src/errors/VCFError.js:100:5)
at isAuthorizedUser (/opt/vmware/vcf/sddc-manager-ui-app/server/src/services/authorization.js:67:41)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async authorizeUser (/opt/vmware/vcf/sddc-manager-ui-app/server/src/services/authorization.js:30:9)
Error Info: {"errorModule":500,"errorCode":144}
caused by:
StatusCodeError: 401 - "{\"errorCode\":\"IDENTITY_UNAUTHORIZED_ENTITY\",\"arguments\":[],\"message\":\"User is not authorized\",\"referenceToken\":\"K5IACU\"}"
at new StatusCodeError (/opt/vmware/vcf/sddc-manager-ui-app/server/node_modules/request-promise-core/lib/errors.js:32:15)
at Request.plumbing.callback (/opt/vmware/vcf/sddc-manager-ui-app/server/node_modules/request-promise-core/lib/plumbing.js:104:33)
at Request.RP$callback [as _callback] (/opt/vmware/vcf/sddc-manager-ui-app/server/node_modules/request-promise-core/lib/plumbing.js:46:31)
at Request.self.callback (/opt/vmware/vcf/sddc-manager-ui-app/server/node_modules/request/request.js:185:22)
at Request.emit (node:events:513:28)
at Request.<anonymous> (/opt/vmware/vcf/sddc-manager-ui-app/server/node_modules/request/request.js:1154:10)
at Request.emit (node:events:513:28)
at IncomingMessage.<anonymous> (/opt/vmware/vcf/sddc-manager-ui-app/server/node_modules/request/request.js:1076:12)
at Object.onceWrapper (node:events:627:28)
at IncomingMessage.emit (node:events:525:35)
All Errors Info:
{"id":"bdd5e5f4-7782-4d8e-bee3-ce54a33d1a40"}
[YYYY-MM-DDTHH:MM:SS] ERROR [3112d76f9e614700] [services/authorization.js, http-post-callback, authorizeUser:35]
500.143: VError: Unauthorized user, logging out
at Object.unauthorizedUserError (/opt/vmware/vcf/sddc-manager-ui-app/server/src/errors/VCFError.js:100:5)
at authorizeUser (/opt/vmware/vcf/sddc-manager-ui-app/server/src/services/authorization.js:34:41)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
Error Info: {"errorModule":500,"errorCode":143}
Correlating to the above log snippets, in operation manager logs, we read entries similar to:
/var/log/vmware/vcf/operationsmanager/operationsmanager.log
[YYYY-MM-DDTHH:MM:SS] DEBUG [vcf_om,26f25a600d86a151,d045] [c.v.v.s.t.DynamicTrustManager,http-nio-127.0.0.1-7300-exec-5] Trying to reload trusted certificates and recheck chain C=US, CN=<VC_FQDN>
[YYYY-MM-DDTHH:MM:SS] DEBUG [vcf_om,26f25a600d86a151,d045] [c.v.v.s.t.DynamicTrustManager,http-nio-127.0.0.1-7300-exec-5] Custom Trust Strategy initialized.
[YYYY-MM-DDTHH:MM:SS] ERROR [vcf_om,26f25a600d86a151,d045] [c.v.v.l.s.LicenseManagerServiceImpl,http-nio-127.0.0.1-7300-exec-5] Unable to fetch license key usage from VsphereLicenseKeyUsagePopulator.
com.vmware.evo.sddc.common.services.psc.exception.PscException: Unable to obtain Security Token Service from SSO 'VC_FQDN'
at com.vmware.evo.sddc.common.util.SSOEntityService.getSamlToken(SSOEntityService.java:317)
at com.vmware.evo.sddc.common.services.licensing.LicenseServiceFactory.createLicenseService(LicenseServiceFactory.java:43)
at com.vmware.vcf.licensemanager.service.client.LicensingClient.getLicenseUtilizations(LicensingClient.java:184)
at com.vmware.vcf.licensemanager.service.usage.VsphereLicenseKeyUsagePopulator.gatherAndPopulateScatteredLicenseUsage(VsphereLicenseKeyUsagePopulator.java:95)
Caused by: java.security.cert.CertPathValidatorException: validity check failed
at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83)
at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:364)
... 165 common frames omitted
Caused by: java.security.cert.CertificateExpiredException: NotAfter: <Expiry Date>
at java.base/sun.security.x509.CertificateValidity.valid(CertificateValidity.java:277)
at java.base/sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:675)
at java.base/sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)
at java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)
You will also not able to use vsphere sso credentials to lookup passwords in SDDC manager SSH session as we encounter an error similar to;
Password lookup operation requires ADMIN user credentials. Please refer VMware Cloud Foundation Administration Guide for setting up ADMIN user.
Supported entity types: ESXI VCENTER PSC NSX_MANAGER NSX_CONTROLLER NSXT_MANAGER NSXT_EDGE VRSLCM VRLI VROPS VRA WSA BACKUP VXRAIL_MANAGER AD
Enter an entity type from above list: VCENTER
Enter page number (optional):
Enter page size (optional, default=50):
Enter Username: [email protected]
Enter Password:
Error occurred during token creation step!
VMware Cloud Foundation 4.x
The issue seems to occur due to certificate expiry of vCenter server machine SSL certificate expiry
for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;