On the management vCenter cli - in log file - /var/log/vmware/vc-ws1a-broker/accesscontrol-service.log - error observable -

com.vmware.vidm.common.gateway.mesh.Gateway AuthProvider - Invalid Token - [Now: YYYY-MM-DDThh:mm:ss.##########] - GatewayToken [Hash:#########,Expiry: YYYY-MM-DDThh:mm:ssZ]

On the vCenter vSphere UI - using VCF SSO to attempt to log in results in an error -

no healthy upstream

- using local accounts results in a successful log in

On the management vCenter VAMI UI (port 5480) - observed that the VMware Identity Services service Health is vami.services.health.UNKNOWN

On VCF Operations UI - on this page an error is shown - Fleet Management > Identity & Access > VCF Instances > sddc-hostname > Identity Source -

An error occurred while trying to get the Directories. Please try again later

VCF 9.0.0

The token Expiry time YYYY-MM-DDThh:mm:ssZ is in the past as compared with the Now time YYYY-MM-DDThh:mm:ss.##########, meaning the token is expired and therefore invalid for use, resulting in the issues seen.

This is a known issue (expected to be resolved in a future release) - the internal token refresh is not occurring prior to token expiry.

Restart the VMware Identity Services service on the management vCenter VAMI UI, and confirm that it shows a Health status of Healthy (rather than vami.services.health.UNKNOWN).

To confirm the resolution -

- VCF SSO log into the vCenter (management and workload domain) is successful again

- on VCF Operations - the Fleet Management > Identity & Access > VCF Instances > sddc-hostname > Identity Source - confirm that the error no longer appears "An error occurred while trying to get the Directories. Please try again later", and that the directories now populate as expected

- on the management vCenter cli - confirm that the Invalid Token message no longer appears in /var/log/vmware/vc-ws1a-broker/accesscontrol-service.log