Failed to log into vCenter with Entra ID as the Identity Provider: Error communicating with external service
search cancel

Failed to log into vCenter with Entra ID as the Identity Provider: Error communicating with external service

book

Article ID: 391959

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

vCenter configured to use Entra ID for authentication, AD users failed to login with the user account. Error message of "Error communicating with external service". 


The following errors are seen in /var/log/vmware/vc-ws1a-broker/token-service.log


Caused by: java.net.ConnectException: Connection refused
        at java.base/sun.nio.ch.Net.pollConnect(Native Method)
        at java.base/sun.nio.ch.Net.pollConnectNow(Unknown Source)
        at java.base/sun.nio.ch.SocketChannelImpl.finishConnect(Unknown Source)
        at io.netty.channel.socket.nio.NioSocketChannel.doFinishConnect(NioSocketChannel.java:337)
        at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.finishConnect(AbstractNioChannel.java:334)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:776)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Unknown Source)

YYYY-MM-DDTXX,323 WARN  FQDN:federation (ForkJoinPool-2-worker-2) [-;-;-;-;-;-] com.vmware.vidm.common.gateway.mesh.GatewayAuthProvider - Failed to acquire token, returning cached token - Optional.empty, io.netty.channel.AbstractChannel$AnnotatedConnectException: Connection refused: localhost/127.0.0.1:10114
YYYY-MM-DDTXX,325 INFO  FQDN:federation (main) [-;-;-;-;-;-] com.vmware.vidm.federation.cds.TenantFeatureProvider - Creating tenant feature cache with ttl seconds: 600, max size: 10000

Environment

vCenter 8

vCenter 9.0.0

Cause

Internal token refresh expires every 6 hours and it failed to refresh the internal token.

YYYY-MM-DDTXX,110 WARN  #######.example.com:federation (vert.x-worker-thread-4) [CUSTOMER;-;127.0.0.1;########-####-####-####-############;-;-] com.vmware.vidm.common.vertx.auth.RequestContextResolutionHandler - Token validation (Signature & Revocation) [Id: ########-####-####-####-############, isValid: false, isExpired: true] 
YYYY-MM-DDTXX,111 WARN  #######.example.com:federation (vert.x-eventloop-thread-3) [CUSTOMER;-;127.0.0.1;########-####-####-####-############;-;-] com.vmware.vidm.common.vertx.exception.handler.DefaultExceptionHandler - Request failed without exception, status_code: 401 
YYYY-MM-DDTXX,198 WARN  #######.example.com:federation (vert.x-worker-thread-3) [CUSTOMER;-;127.0.0.1;########-####-####-####-############;-;-] com.vmware.vidm.common.vertx.auth.RequestContextResolutionHandler - Token validation (Signature & Revocation) [Id: 3########-####-####-####-############, isValid: false, isExpired: true] 
YYYY-MM-DDTXX,199 WARN  #######.example.com:federation (vert.x-eventloop-thread-3) [CUSTOMER;-;127.0.0.1;########-####-####-####-############;-;-] com.vmware.vidm.common.vertx.exception.handler.DefaultExceptionHandler - Request failed without exception, status_code: 401

Resolution

Workaround: Restart the vc-ws1a-broker service on the vCenter

  • SSH into vCenter and type the following command to restart the broker service: vmon-cli --restart vc-ws1a-broker

This issue is fixed in versions 8.0U3g and 9.0.1

Powered by Wolken Software