Unable to login to HCX 443 UI "Unable to login. Reason:Unauthorized"
search cancel

Unable to login to HCX 443 UI "Unable to login. Reason:Unauthorized"

book

Article ID: 403755

calendar_today

Updated On:

Products

VMware HCX

Issue/Introduction

  • HCX 443 hybridity UI login fails with "Unable to login. Reason:Unauthorized".


  • Validate that the account used to login is having Global Permissions > Admin Role and is under Administrators Group in vCenter Server.
  • Validate the User Account and Role Requirements is followed for HCX Manager correctly as documented.
  • vCenter SSO/STS certs were updated.
  • HCX 9443 registration for vCenter Server is successful.
  • Reviewing HCX Manager web.log found in /common/logs/admin will show below errors: 
    <timestamps> UTC [https-jsse-nio-8443-exec-8, , , TxId: ] INFO  c.v.i.t.i.X509TrustChainKeySelector- Failed to find trusted path to signing certificate <CN=ssoserverSign>
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

<timestamps> UTC [https-jsse-nio-8443-exec-8, , , TxId: ] ERROR c.v.i.token.impl.SamlTokenImpl- Signature validation failed
javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key

<timestamps> UTC [https-jsse-nio-8443-exec-8, , , TxId: ] ERROR c.v.v.h.a.AccessTokenRestController- Signature validation failed
com.vmware.vim.sso.client.exception.MalformedTokenException: Signature validation failed

<timestamps> UTC [https-jsse-nio-8443-exec-8, , , TxId: ] INFO  c.v.v.h.a.HybridityAuthenticationEntryPoint- AuthenticationEntryPoint - unauthorized request for URI /hybridity/api/sessions
<timestamps> UTC [https-jsse-nio-8443-exec-8, , , TxId: ] ERROR c.v.v.h.a.HybridityAuthenticationEntryPoint- AuthenticationEntryPoint - got AuthenticationException
org.springframework.security.authentication.BadCredentialsException: Signature validation failed


Environment

VMware HCX
vCenter Server

Cause

This issue arises from a mismatch between the STS certificate stored in the HCX database and the one currently used by vCenter SSO.

Resolution

  • Re-register SSO on HCX Admin 9443 page.
    • Login to HCX 9443 page >> Configuration >> SSO >> EDIT >> Validate the SSO Provider URL is correct and "SAVE".
    • This should push the correct SSO/STS certs into HCX.




      NOTE: If you still encounter the same issue after following this KB, please open a support case with Broadcom Support and refer to this KB article.
      Please do collect a vCenter Server Log Bundle + HCX Manager Log bundle [Collect Core HCX Logs + Collect Database Dump] and upload to SR.
      For more information, see Creating and managing Broadcom support cases.

Additional Information

Powered by Wolken Software