Login to the vCenter fails with the error "[403] The maximum number of sessions has been exceeded"
search cancel

Login to the vCenter fails with the error "[403] The maximum number of sessions has been exceeded"

book

Article ID: 382081

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This is a known issue in large vCenter Embedded Linked Mode environments, if multiple users, who do not have permissions to log in to any of the vCenter instances in the linked group, try to log in, the vSphere Client might reach the maximum number of allowed HTTP sessions.  Hence, all the users will not be able to login and they receive the maximum number of session exceeded message.

Environment

7.x versions

Cause

This issue occurs due to a session leak when a user who doesn't have permissions to see any of the vCenters in the federation tries to login. Even when the user logs out the session login attempt
continues to remain active. 

vsphere_client_virgo.log

We may see too many active sessions message

 

ERROR] http-nio-5090-exec-138 70077257 103157 ###### com.vmware.vsphere.client.security.sso.SsoAuthenticationHandler Error during authentication com.vmware.vcenter.apigw.session.SessionCreationException: Too many active sessions.
 at com.vmware.vcenter.apigw.session.frontend.impl.FrontendSessionManagerImpl.create(FrontendSessionManagerImpl.java:408)
 at com.vmware.vcenter.apigw.api.impl.ApiGatewaySessionManagerImpl.login(ApiGatewaySessionManagerImpl.java:51)
 at sun.reflect.GeneratedMethodAccessor949.invoke(Unknown Source)

 

 

Login failure to vCenter due to no permission

 

 [202x-xx-xxT0x:xx:xx.401Z] [WARN ] m-authentication-pool-252796 70278827 121661 202021 com.vmware.vsphere.client.security.VimAuthenticationHandler       Login to vCenter Server https:<vCenter FQDN>:443/sdk failed with NoPermission error for user - null
 [202x-xx-xxT0x:xx:xx.402Z] [INFO ] http-nio-5090-exec-614       70278827 121661 202021 com.vmware.vsphere.client.security.VimAuthenticationHandler       LinkedVcGroupRegistry login complete 121661
 [202x-xx-xxT0x:xx:xx.402Z] [ERROR] http-nio-5090-exec-614       70278827 121661 202021 com.vmware.vise.security.spring.DefaultAuthenticationProvider     Authentication failure com.vmware.vise.security.spring.DefaultAuthenticationException: Unable to login because you do not have permission on any vCenter Server systems connected to this client.
         at com.vmware.vsphere.client.security.VimAuthenticationHandler.authenticate(VimAuthenticationHandler.java:276)
         at com.vmware.vise.security.spring.DefaultAuthenticationProvider.authenticate(DefaultAuthenticationProvider.java:353)
         at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182)
         at com.vmware.vise.security.websso.WebssoAuthenticationProcessingFilter.attemptAuthentication(WebssoAuthenticationProcessingFilter.java:47)
         at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:231)
         at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
         at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:361)

 

 

Identify the user with failed login attempts

 

[202x-xx-xxT0x:xx:xx.383Z] [INFO ] agw-token-acq2740            ######## ###### 202021 com.vmware.identity.token.impl.SamlTokenImpl                      SAML token for SubjectNameId [[email protected], format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element
[202x-xx-xxT0x:xx:xx.384Z] [INFO ] agw-token-acq2740            ######## ###### 202021 com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl           Successfully acquired token for user: {Name: username, Domain: test.com.xyz}
[202x-xx-xxT0x:xx:xx.401Z] [INFO ] m-authentication-pool-252796 70278827 121661 202021 com.vmware.vise.vim.commons.vcservice.impl.LinkedVcGroupImpl      VC Login results:
 Failed VCs: [null]
[202x-xx-xxT0x:xx:xx.401Z] [ERROR] linkedVcGroup-pool-252797    70278827 121661 202021 com.vmware.vise.util.concurrent.ExecutorUtil                      A task crashed: com.vmware.vise.vim.commons.vcservice.impl.LinkedVcGroupImpl$1@f27882a java.util.concurrent.ExecutionException: (vim.fault.NoPermission)

 

Resolution

This issue is resolved in VMware vCenter Server 7.0 Update 3q | Build 23788036 and above. 

Please refer to the below release notes where the issue is documented " Log in to the vSphere Client fails with an error for maximum number of sessions"

https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/release-notes/vcenter-server-update-and-patch-releases/vsphere-vcenter-server-70u3q-release-notes.html#Resolved%20Issues-vCenter%20Server%20and%20vSphere%20Client%20Issues

 

Additional Information

Work around: 

Restarting the vSphere Client UI service will clear the sessions that are marked as invalid and allow users to login.

service-control --stop vsphere-ui

service-control --start vsphere-ui

To avoid this issue again if you are unable to upgrade, you can add permissions to the users, so that they are able to see at least one of the vCenters in the system

Powered by Wolken Software