Login to the Supervisor Cluster or VKS Cluster using kubectl vsphere login with a domain account failed and returned an "Internal server error".
search cancel

Login to the Supervisor Cluster or VKS Cluster using kubectl vsphere login with a domain account failed and returned an "Internal server error".

book

Article ID: 434553

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

Login to the Supervisor Cluster or VKS Cluster using a domain account fails intermittently and returns an "Internal server error".

Environment

vSphere with Tanzu 8.0

Cause

- The issue occurs because communication between the backend vCenter Server and the Domain Controller takes longer than one minute while validating the user credentials.
- At the same time, the kubectl vsphere login command has a default timeout of 60 seconds, which causes the login request to fail before authentication completes.

Resolution

wcp-authproxy

- The wcp-authproxy log also confirms that the client connection was closed after 60 seconds:

stderr F INFO:server:[140219366038240] "127.0.0.1" - - [25/Mar/2026:01:36:17 +0000] "GET /wcp/workloads HTTP/1.0" 200 76 "-" "kube-plugin-vsphere bld 24795027 - cln 15520604" "<USERNAME>"
stderr F DEBUG:server:[140219366234464] Request: b'POST' b'/wcp/login' 127.0.0.1
stderr F WARNING:server:[140219366234464] Connection lost. <------------ After 1 min
stderr F twisted.internet.error.ConnectionDone: Connection was closed cleanly.

 

vmware-identity-sts.log

- The logs show that the authentication process took about 90 seconds to complete

INFO sts[65:tomcat-http--28] [CorId=######-####-####-######] [com.vmware.identity.sts.ws.handlers.SOAPHeadersExtractor] Found 1 {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security headers
INFO sts[65:tomcat-http--28] [CorId=######-####-####-######]] [com.vmware.identity.sts.impl.STSImpl] Entering issue() token...
INFO sts[65:tomcat-http--28] [CorId=######-####-####-######]] [com.vmware.identity.idm.server.IdentityManager] Authentication succeeded for user [<ACCOUNT>] in tenant [vsphere.local] in [90109] milliseconds with provider [DOMAIN] of type [com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider]
WARN sts[65:tomcat-http--28] [CorId=######-####-####-######]] [com.sun.xml.ws.transport.http.HttpAdapter] Received WS-I BP non-conformant Unquoted SoapAction HTTP header: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue

Further investigation is needed on the communication path between vCenter Server and the Domain Controller, with particular focus on the delay during user authentication.

Additional Information

https://knowledge.broadcom.com/external/article/344878/using-the-lwmeasure-tool-to-detect-laten.html

https://knowledge.broadcom.com/external/article/344880/using-checkadconfig-to-detect-connectivi.html

 

Powered by Wolken Software