Access denied errors when logging in to vCenter using Okta with a domain joined account.
search cancel

Access denied errors when logging in to vCenter using Okta with a domain joined account.

book

Article ID: 386853

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Post OKTA integration the okta login fails for all users
  • The errors we see:
YYYY-MM-DDTHH:MM:SS.xxxZ WARN  <vc-fqdn>:federation (federation-business-pool-0) [CUSTOMER;-;xxx.xx.xx.xxx;xxxxxxxx-cxxx-xxxx-xxxx-xxxxxxxxxxxx;] com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticator - Exception occurred while retrieving oidc tokens com.vmware.vidm.federation.authenticator.oidc.OidcTokenValidationException: Issue time in ID token is invalid
        at com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationValidator.validateIssueTime(OidcAuthenticationValidator.java:206)
        at com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationValidator.validateIDToken(OidcAuthenticationValidator.java:162)
        at com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticator.lambda$processResponse$3(OidcAuthenticator.java:150)
        at java.base/java.util.concurrent.CompletableFuture$UniCompose.tryFire(Unknown Source)
        at java.base/java.util.concurrent.CompletableFuture$Completion.run(Unknown Source)
        at com.vmware.vidm.common.async.ContextPassingExecutor.lambda$wrap$0(ContextPassingExecutor.java:48)
        at io.micrometer.core.instrument.internal.TimedRunnable.run(TimedRunnable.java:49)
        at java.base/java.util.concurrent.ForkJoinTask$RunnableExecuteAction.exec(Unknown Source)
        at java.base/java.util.concurrent.ForkJoinTask.doExec(Unknown Source)
        at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(Unknown Source)
        at java.base/java.util.concurrent.ForkJoinPool.scan(Unknown Source)
        at java.base/java.util.concurrent.ForkJoinPool.runWorker(Unknown Source)
        at java.base/java.util.concurrent.ForkJoinWorkerThread.run(Unknown Source)

Environment

VMware vCenter Server 8.0.1 and later

Cause

For Okta to validate tokens (e.g., OAuth, OIDC, or SAML tokens), the system time on the interacting devices must be synchronized with Okta's server time within a 5-minute window. If there is a time mismatch between the local system and vCenter, it may result in token validation errors, leading to login attempts being denied with an "access denied" message.

Resolution

Ensure that the vCenter Server's time is synchronized within a maximum time difference of 5 seconds from the local time. Verify that the NTP configuration is accurate and that the time on vCenter aligns with the local time.

To verify timestamps.

  • Open a PuTTY (SSH) session to the vCenter.
  • Run the following command  
    • watch -d date -u
  • If timestamp is out of sync with the local Time, investigate from where the node is getting its timestamp from and fix accordingly (i.e.: ESX server hosting the VM, NTP server address.)
    • Restart NTP sever daemon on node.
    • Change NTP server parameters
    • Examine host server timestamp config etc.
  • Once the time is synced try to re-initiate the okta login

Additional Information

Documentations to follow for testing and fixing time sync issues:Configuring Time Synchronization Settings in vCenter Server