vIDM Login Fails with 400 Bad Request Error When Using NSX Load Balancer — Illegal HTTP Header “Remote Port”
Article ID: 417173
Updated On:
Products
Issue/Introduction
NSX Load Balancer (NSX-LB) with VMware Identity Manager (Patch CSP-102092), running Tomcat 9 may experience login failures with the following symptoms:
- Login page fails to load, or users receive HTTP 400 – Bad Request error.
- vIDM
/opt/vmware/horizon/workspace/logs/catalina.loglogs show entries such as:Error parsing HTTP request header - Further inspection of the HTTP headers in Tomcat debug logs reveals an invalid header line: Remote Port: 63178
Environment
- VMware Identity Manager with Patch CSP-102092
- Aria Suite Lifecycle
- NSX Load Balancer (NSX-LB)
Cause
The root cause was identified as Tomcat 9 rejecting the “Remote Port” HTTP header as invalid, due to a space character in the header name.
- Per RFC 7230, spaces are not allowed in HTTP header names.
- The invalid header Remote Port is injected by NSX or an upstream proxy during request forwarding.
- The correct syntax should be RemotePort (without a space).
Resolution
Update the NSX Load Balancer (NSX-LB) configuration to remove the whitespace from the header name.
Steps:
- Log in to the NSX Manager UI as Admin User.
-
Navigate to Networking > Load Balancing > Virtual Servers.
-
Select the vIDM HTTPS Virtual Server and click Edit.
-
Go to Load Balancer Rules > Request Rewrite Phase.
-
Click on the existing Rule and then select Edit Rule.
-
In the rule configuration, remove the space in the header name.
Change “Remote Port” to “RemotePort”. -
Click Save to apply the rule changes.
-
Finally, Save the Virtual Server configuration to commit the updates.
Pleas check the below screenshot for reference.
Feedback
