kubectl login to a guest cluster using domain user account takes a long time
Article ID: 413506
Updated On:
Products
Issue/Introduction
- kubectl login to a guest cluster takes 1-2 min and logs in successfully without issues.
- Issue is seen with LDAP domain user accounts and not with local account (account ending with `@vsphere.local`)
$ kubectl vsphere login \--server=<SUPERVISOR_CONTROL_PLANE_IP> \--vsphere-namespace=<VSPHERE_NAMESPACE> \--tanzu-kubernetes-cluster-name=<TKG_CLUSTER_NAME> \--insecure-skip-tls-verify \-v=10DEBU[YYYY-MM-DD HH:MM:SS] User passed verbosity level: 10DEBU[YYYY-MM-DD HH:MM:SS Setting verbosity level: 10DEBU[YYYY-MM-DD HH:MM:SS] Setting request timeout:DEBU[YYYY-MM-DD HH:MM:SS] login called as: /usr/bin/kubectl-vsphere login --server=<IP> --tanzu-kubernetes-cluster-namespace=infra-service --tanzu-kubernetes-cluster-name=testcluster -v=10DEBU[YYYY-MM-DD HH:MM:SS] Creating wcp.Client for <IP>DEBU[YYYY-MM-DD HH:MM:SS] Got response:Username: username@domainINFO[YYYY-MM-DD HH:MM:SS] Using username@domain username.DEBU[YYYY-MM-DD HH:MM:SS] KUBECTL_VSPHERE_PASSWORD environment variable is not setPassword:<<stuck about 30s>>DEBU[YYYY-MM-DD HH:MM:SS] Got response: [{"namespace":...]DEBU[YYYY-MM-DD HH:MM:SS] Got response: {"session_id":...}INFO[YYYY-MM-DD HH:MM:SS] User has existing context; will not override.DEBU[YYYY-MM-DD HH:MM:SS] Logging in to Tanzu Kubernetes cluster (clustername) (XXXXX)DEBU[YYYY-MM-DD HH:MM:SS] Got response: {"session_id":...}INFO[YYYY-MM-DD HH:MM:SS] Successfully logged in to Tanzu Kubernetes cluster 172.##.##.##DEBU[YYYY-MM-DD HH:MM:SS] Trying to login to 10.##.##.##DEBU[YYYY-MM-DD HH:MM:SS] Creating wcp.Client for 10.##.##.##<<stuck about 30s>>DEBU[YYYY-MM-DD HH:MM:SS] Got response: {"session_id":...}Logged in successfully. - The time taken can be verified using wcp-auth proxy logs:
wcp-authproxy logs:YYYY-MM-DDTHH:MM:SS stderr F INFO:auth.filters:[] User authenticated using basic token.:(took 49 seconds to get cluster ID)YYYY-MM-DDTHH:MM:SS stderr F DEBUG:vclib.token:[] Cluster UID (<Cluster_UID>), server (10.##.##.##) Check connectivity for domain controllers using the below commands:
- For LDAPs: "
curl -v -k <Identity-provider-url.domain.com>:636" - For LDAP: "
curl -v -k <Identity-provider-url.domain.com>:389"
- For LDAPs: "
Environment
vSphere Kubernetes Service
Cause
- In environments with multiple Domain Controllers (DCs) providing LDAP services, authentication delays may occur if the LDAP configuration only specifies the domain name rather than individual Domain Controllers.
- When one of the Domain Controller's becomes unreachable, LDAP configured to use the domain name rather than explicitly listing DCs occasionally routes authentication attempts to the offline controller, resulting in intermittent login delays.
Resolution
Update the LDAP configuration to explicitly specify a reachable working Domain Controller instead of relying solely on the domain name or fix the connectivity issues of domain controller.
Additional Information
When vCenter authenticates against LDAP/Active Directory:
vCenter connects to one of the configured Domain Controllers (DCs) via LDAP or LDAPS.
It performs a Bind operation using the credentials of the configured identity source.
If the first DC is unreachable, vCenter will try the next DCs in the list (if multiple are configured).
Successful bind → authentication succeeds; failure or timeout → vCenter may log an error.
If the identity source is just a domain name (no explicit DCs), vCenter relies on DNS to resolve the DCs. If DNS returns an unreachable DC first, it can cause delays or timeouts.
For LDAP connectivity issues log traces, check below logs in vCenter:
/var/log/vmware/vpxd/vpxd.log
/var/log/vmware/sso/vmware-sts-identity.log or websso.log
/var/log/vmware/vmdird/vmdird.log
Following errors are seen:
LDAP connection to <DC> failed: java.net.ConnectException: Connection timed out
Feedback
