Unable to setup Azure AD Identity provider with error "Could not create indirect identity provider: VMware Identity services unavailable" after RDU Upgrade.
search cancel

Unable to setup Azure AD Identity provider with error "Could not create indirect identity provider: VMware Identity services unavailable" after RDU Upgrade.

book

Article ID: 312037

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Unable to setup Azure AD with error "Could not create indirect identity provider: VMware Identity services unavailable."

  • vCenter was patched using RDU Workflow from 8.x to 8.0 U2
  • /var/log/vmware/trustmanagement/trustmanagement-svcs.log

YYYY-MM-DDTHH:MM:SS [tomcat-exec-7 [] INFO  com.vmware.vcenter.trustmanagement.authbroker.BrokerClient  opId=] API request GET_CLIENT_CREDENTIALS_TOKEN to url http://localhost:1080/external-vecs/http1/<vCenter Server FQDN>/443/acs/t/customer/token returned unexpected response code 400 and the following error information: {"error":"server_error","error_description":"Unable to generate the Token."}
YYYY-MM-DDTHH:MM:SS [tomcat-exec-7 [] ERROR com.vmware.vcenter.trustmanagement.migration.IdpReplacer  opId=] Failed to create Auth Broker IDP
com.vmware.vcenter.trustmanagement.authbroker.BrokerException: VMware Identity services unavailable
        at com.vmware.vcenter.trustmanagement.authbroker.BrokerClient.logAndThrow(BrokerClient.java:1095) ~[libservice.jar:?]
      at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) [tomcat-embed-core-9.0.91.jar:9.0.91]
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) [tomcat-embed-core-9.0.91.jar:9.0.91]
        at java.lang.Thread.run(Thread.java:750) [?:1.8.0_412]
Caused by: com.vmware.vcenter.trustmanagement.authbroker.BrokerClient$HttpStatusException: API request GET_CLIENT_CREDENTIALS_TOKEN failed with response code 400 (Bad Request)

Note: This failure may also happen during a multi step upgrade from 8.0 U1 to 8.0 U2 to 8.0U2 x

Environment

VMware vCenter Server 8.0
VMware vCenter Server 8.0.2

Cause

vc-ws1a-broker service configuration files get lost during RDU upgrade which leaves the vc-ws1a-broker service in a broken state.

Resolution

This is resolved in vCenter server 8.0 update 2b Build 23319993


Workaround:

Run the attached shell script to be able to configure an external Identity Provider.

  • Download the recover_ws1b.sh script attached and run it as follows:

bash recover_ws1b.sh <Admin user> <Admin password> <External IDP Client secret>

Additional Information

Unable to configure Okta or Azure AD (Entra ID) identity providers.

Attachments

recover_ws1b.sh get_app
Powered by Wolken Software