When you attempt to onboard a new vCenter Server Cloud Account in the Aria Automation UI, the validation process fails.

When you review the Orchestrator application logs (/var/log/services-logs/prelude/vco-app/file-logs/vco-server-app.log) or execute the vCSA vAPI Health Check workflow, you see the following exceptions:

InternalError: Error deserializing JSON: Recieved JSON-RPC 2.0 error with code:-32603 and message:Internal error
Error in (Workflow:vCSA vAPI Health Check / Test Endpoint) vAPI endpoint: https://<vcenter-fqdn>/api does not appear to be functional.

Other vCenter Servers in the same environment may connect and validate without issue.

• VMware Aria Automation 8.x
• VMware Aria Automation Orchestrator 8.x
• Network environment utilizing an authenticating proxy or gateway (e.g., Entrust).

This issue occurs when an inline proxy intercepts the connection from Aria Automation to the vCenter Server and blocks it due to an authentication failure.

Aria Automation's provisioning-service and vRO vAPI plugins utilize a strict Java-based REST client to communicate with the vCenter /api endpoint. If you configure the target vCenter within the proxy using an incorrect credential format (such as DOMAIN\user instead of [email protected]), the proxy denies the transit. Instead of routing the traffic, the proxy returns an authentication error payload (often an HTML page) and its own certificate.

The Aria Automation vAPI client receives this unexpected payload and fails to deserialize it as JSON, yielding the -32603 Internal Error.

To resolve this issue, correct the credential format on the proxy appliance so the traffic is permitted to pass.

1. Access the administration interface of the network proxy/gateway (e.g., Entrust).
2. Locate the configuration or registration entry for the failing vCenter Server.
3. Verify the login format used for the service account. If it uses the Down-Level Logon Name format (DOMAIN\user), change it to the User Principal Name (UPN) format ([email protected]).
4. Save the configuration and verify the proxy is no longer blocking connections to the vCenter.
5. Re-attempt the vCenter Cloud Account validation in the Aria Automation UI.

To verify if a proxy is intercepting the connection and presenting a mismatched certificate, execute a direct cURL test from within the Orchestrator pod:

1. SSH into the Aria Automation primary node.
2. Execute the following command, replacing <vcenter-fqdn> with the target vCenter:

   kubectl exec -it -n prelude $(kubectl get pods -n prelude -l app=vco-app -o jsonpath='{.items[0].metadata.name}') -c vco-server-app -- curl -v -k -X POST -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","method":"ping","params":[],"id":1}' https://<vcenter-fqdn>/api

3. Inspect the Server certificate: block in the output. If the subject or issuer indicates a proxy appliance instead of the native VMware vCenter certificate, the proxy is intercepting the traffic.