Tanzu Mission Control - Self managed produces error "errcode: 3001 errmsg: Unauthorized requestid: ########-####-####-####-############" when attempting to login
search cancel

Tanzu Mission Control - Self managed produces error "errcode: 3001 errmsg: Unauthorized requestid: ########-####-####-####-############" when attempting to login

book

Article ID: 415808

calendar_today

Updated On:

Products

VMware Tanzu Mission Control

Issue/Introduction

When attempting to login to Tanzu Mission Control - Self managed using OpenID Connect, Muti-Factor Authentication, or an External Identity Provider, the following symptoms are observed:
- The login screen displays the following error:
errcode: 3001 errmsg: Unauthorized requestid: ########-####-####-####-############


- Similar errors are present in the landing service logs of the TMC-SM deployment:

component":"######-#####-####","http.host":"<fqdn>","http.proto_major":2,"http.request.length_bytes":0,"http.request.method":"GET","http.request.referer":"","http.request.user_agent":"Mozilla/5.0(Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0.1 Safari/605.1.15","http.url.path":"/callback","level":"error","msg":"errcode: 3001 errmsg: Unauthorized requestid: ########-####-####-####-############ cause:error in verifying the id token string: unable to verify id token: Error [105]: OIDC Token Not Yet Valid, detail: Invalid issuedAt claim","peer.address":"###.###.###.###","peer.port":"44450","#######-##":"########-####-####-####-############","span.kind":"server","system":"http","time":"YYYY-MM-DDTHH:MM:SS"}

{"component":"######-#####-####","http.host":"<fqdn>","http.proto_major":2,"http.request.length_bytes":0,"http.request.method":"GET","http.request.referer":"","http.request.user_agent":"Mozilla/5.0(Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0.1 Safari/605.1.15","http.response.length_bytes":82,"http.response.status":401,"http.time_ms":0.625,"http.url.path":"/callback","level":"warning","msg":"finished HTTPcall with code 401 Unauthorized","peer.address":"###.###.###.###","peer.port":"44450","#######-##":"########-####-####-####-############","span.kind":"server","system":"http","time":"YYYY-MM-DDTHH:MM:SS"}


- If accessing the Tanzu Kubernetes Cluster hosting the TMC-SM deployment, the date and time of the TKC nodes is off by greater than 60 seconds.

Environment

Tanzu Kubernetes Self Managed 1.4

Cause

OIDC logins can accommodate up to 60 seconds of time drift between the login source and target. 
When the time drift is greater than 60 seconds, the login will fail with the error shared above. 

Resolution

Determine if the source or destination is configured with the incorrect time settings and remediate the discrepancy. 
See the following KBs for guidance:
Use custom NTP server in TKG
Tanzu Kubernetes Grid 2.5 - Configuration File Variable Reference


Powered by Wolken Software