When attempting to deploy an OVF template in a vCenter 9.x environment, the deployment fails immediately with a generic fatal error. " A Fatal error has occurred. Unable to continue"

VCF 9.x

/var/log/vmware/content-library/cls.log:

       YYYY-MM-DD | ERROR    | misqihwt-####-auto-####-h5:70022227 | tomcat-http-40            | AuthorizationFilter            | Could not retrieve permission information for ID urn:vmomi:ResourcePool:resgroup-13:####-254d-####-b458-#### for operation com.vmware.vcenter.ovf.import_session.create_for_resource_pool.
       com.vmware.vsphere.common.authz.AuthorizationException: Could not validate with CIS Authz service

       YYYY-MM-DD  | DEBUG    | misqihwt-####-auto-####-h5:70022231 | tomcat-http-45            | AuthorizationFilter            | Validating permissions for 2 objects, in invocation of com.vmware.vcenter.ovf.import_session.create_for_resource_pool
       YYYY-MM-DD  | DEBUG    | misqihwt-####-auto-####-h5:70022231 | tomcat-http-45            | AuthorizationServiceClientimpl | Operation: hasPrivileges. Invoking server API.
       YYYY-MM-DD  | WARN     | misqihwt-####-auto-####-h5:70022231 | tomcat-http-45            | AuthorizationServiceClientimpl | Operation: hasPrivileges. Read API execution failed.
       java.util.concurrent.ExecutionException: com.vmware.vim.binding.vmodl.RuntimeFault: Unable to dispatch request: Failed to create session

/var/log/vmware/vpxd/vpxd.log:

       YYYY-MM-DD  error vpxd[06787] [Originator@6876 sub=Default] received error code 401 for [N7Vmacore4Http23Http1ClientResponseImplE]: Unauthorized
       YYYY-MM-DD  info vpxd[06787] [Originator@6876 sub=Default] Creating SideCar HTTP/2 ConnectionPool
       YYYY-MM-DD  warning vpxd[06787] [Originator@6876 sub=ResourceMonitor] Failed request to VAPI service; Error:
       -->    com.vmware.vcenter.tokenservice.invalid_request
       --> Messages:
       -->    com.vmware.vcenter.tokenservice.exceptions.InvalidRequest<Failed to built JWT_ID token for {Name: vpxd-svc-acct-####-6a2a-4937-a573-####, Domain: VSPHERE.LOCAL} on behalf of {Name: vpxd-svc-acct-####-6a2a-4937-a573-####, Domain: VSPHERE.LOCAL}>

The issue is caused by a time synchronization mismatch between the vCenter Server nodes or the identity provider.

In vCenter 9.x, the Token Service uses JSON Web Tokens (JWT) for internal service-to-service communication. If the system clocks are out of sync, the vCenter Token Service cannot validate the "issued at" or "expiration" timestamps of the token. This results in an Unauthorized (401) error when vpxd tries to communicate with the OVF import session via the VAPI service, effectively blocking the deployment process.

To resolve this issue, ensure that time is synchronized across the environment by configuring NTP servers.

1. Log in to the vCenter Server Management Interface (VAMI) at https://<vcenter-ip-or-fqdn>:5480.

2. Navigate to the Time section.

3. Click Edit under Time Settings.

4. Change the Mode to NTP and enter valid NTP server addresses.

5. Ensure the Time synchronization status shows as "In sync."

6. If in a Linked Mode or Multi-vCenter environment, repeat these steps for all vCenter nodes.

7. Once the clocks are synchronized, retry the OVF deployment.