Virtual Machine Web Console Connection Fails with "Invalid SUBJECT token" or "Token expiration date is in the past" in vCenter Server
search cancel

Virtual Machine Web Console Connection Fails with "Invalid SUBJECT token" or "Token expiration date is in the past" in vCenter Server

book

Article ID: 440398

calendar_today

Updated On:

Products

VMware vCenter Server 8.0

Issue/Introduction

  • When attempting to launch a Virtual Machine console from the vCenter server, a blank page appears. The following error is displayed: 'Couldn't establish a connection to the VM web console'.

  • VMware Remote Console (VMRC) and RDP sessions function normally.
  • The VM console launches successfully when accessed directly via the ESXi Host Client.
  • Within the /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log, you observe InvalidGrant errors:
    [YYYY-MM-DDTHH:MM:SS]  [ERROR] nio-127.0.0.1-5090-exec-3672 70124732 109469 200245 c.v.v.r.restclient.impl.EnvoyVapiRequestExecutorServiceImpl       Error obtaining JWT for the vsphere-ui service principal. com.vmware.vcenter.tokenservice.InvalidGrant: InvalidGrant (com.vmware.vcenter.tokenservice.invalid_grant) => {
    messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
    id = com.vmware.vcenter.tokenservice.exceptions.InvalidGrant,
    defaultMessage = Invalid SUBJECT token: tokenType=SAML2,
    args = [],
    params = <null>,
    localized = <null>
}, LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
    id = com.vmware.identity.saml.InvalidTokenException,
    defaultMessage = Token expiration date: ##i N## 0# ##:19:## GMT 2##4 is in the past.,

  • /var/log/vmware/sso/tokenservice.log shows similar error that the token is in the past:

    [YYYY-MM-DDTHH:MM:SS] INFO tokenservice[61:tomcat-http--23] [CorId=####### OpId=##] [com.vmware.identity.token.impl.SamlTokenImpl] Token expiration date: Fri Nov 08 03:36:46 GMT 2024 is in the past.
[YYYY-MM-DDTHH:MM:SS] ERROR tokenservice[61:tomcat-http--23] [CorId=####### OpId=##] [com.vmware.vcenter.tokenservice.vapi.TokenExchangeProviderImpl] Exchange failed due to invalid grant:
com.vmware.vcenter.tokenservice.exceptions.InvalidGrant: Invalid SUBJECT token: tokenType=SAML2

Environment

VMware vCenter Server 8.x

Cause

  • Token trustworthiness clock tolerance is set to a larger value from default.  The default value is  600000 milliseconds
  • The vsphere client gets a solution user token from the SSO service when the vsphere-ui service starts.  If this value is set to, as an example 600,000 seconds instead of milliseconds, the service does not take this value into account and thus the token can expire.

Resolution

Fixed in release VMware vCenter Server 8.0 Update 3e and higher. See Download Broadcom products and software for steps to download this release.

Workaround: Modify the Token Trustworthiness Clock Tolerance setting to accommodate the timing mismatch. To avoid being locked out of the vSphere Client, use two different browsers (e.g., Chrome and Firefox) during this process.

Within vSphere client, modify the Token Trustworthiness Clock Tolerance value to default setting of 600000 milliseconds.

  1. Launch vSphere Client
  2. Menu Administration
  3. Under Single Sign On > Configuration
  4. Choose Local accounts tab.
  5. Under Token Trustworthiness, Click Edit
  6. Change Clock Tolerance to default value of 600000 milliseconds.
  7. Restart vsphere-ui service
      1. Open an SSH session to the vCenter appliance
      2. Once logged in run the command service-control --restart vsphere-ui

Additional Information

Couldn't establish a connection to the VM web console from vSphere Client

Powered by Wolken Software