Accessing vIDM fails with Error: "You do not have permission to access this page: /hc/xxxx/authenticate/"
search cancel

Accessing vIDM fails with Error: "You do not have permission to access this page: /hc/xxxx/authenticate/"

book

Article ID: 396017

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

  • Login failure while accessing vIDM:
    You do not have permission to access this page: /hc/xxxx/authenticate/

  • Adding Identity Manager FQDN from the admin portal fails.
  • The issue can also manifest as seen in KB 322679

Environment

vIDM 3.3.7

Cause

IDP configuration value null in vIDM node's configuration file config-state.json causing authentication to fail. Confirm if you are encountering this issue by running "grep -A 2 '"idp" : {' /opt/vmware/horizon/workspace/conf/states/*/config-state.json" as the root user in an SSH session to the IDM node(s). 

"idp" : {
    "isConfigured" : false,
    "host" : null,

This issue may also arise if the config-state.json file is missing on any of the vIDM standby nodes.

Resolution

Workaround:

Note: Before following the steps below, make sure to take cold snapshot of all the nodes.

Make note of the worker ID from the error message. For example 9999 is the worker ID from the following error message.

You do not have permission to access this page: /hc/9999/authenticate/

  1. SSH to VMware Identity Manager Appliance(s) using root credentials. Run following command and validate which node holds the error message worker Id previously noted.
    find / -iname config-state.json
  2. Stop the service ONLY on node which has the error message worker Id.
    service horizon-workspace stop
  3. Back up the current configuration file by running the command.
    mv config-state.json config-state.json.bkp
  4. Access Identity manager over UI using local credentials directly to the node. Go to "Identity and Access Management", Under "Directory Sync and Authentication" section. If the affected node connector is in use, switch to any other connector.
  5. From IDP Configuration, remove affected connector. And, Add the deleted connector, save the IDP configuration.
  6. Validate whether config-state.json has IDP configured as true after adding the connector back.
  7. Start horizon-service.
    service horizon-workspace start
  8. Restart opensearch service.
    /etc/init.d/opensearch restart
  9. Validate Directory Sync is successful.

If you are instead being directed to /hc/error without the permissions error follow the steps below:

  1. Take offline snapshots of all vIDM nodes in the cluster to ensure a rollback point.

     

  2. Log in to the vIDM admin console

     

  3. Navigate to Identity & Access Management > Identity Providers.

     

  4. Select the affected Identity Provider.

     

  5. Explicitly remove the associated connector nodes from the Identity Provider configuration.

     

  6. Click Save. 

     

  7. Edit the Identity Provider again and re-add the connector nodes, ensuring the correct Load Balancer FQDN is populated in the IdP Hostname field.

     

  8. Click Save.

     

  9. Validate the resolution by executing the triage command again on all nodes:
    grep -A 2 '"idp" : {' /opt/vmware/horizon/workspace/conf/states/*/config-state.json
    The output should now display "isConfigured" : true and list the correct Load Balancer FQDN.
Powered by Wolken Software