ADFS User login failed with error "[400] An error occurred while processing an OAuth 2 authorization code assertion request"
search cancel

ADFS User login failed with error "[400] An error occurred while processing an OAuth 2 authorization code assertion request"

book

Article ID: 316462

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • ADFS user logins will fail with error [400] on vCenter GUI

  • Below error messages can be seen


  • vsphere_client_virgo.log 
    --------------------------------------
    [yyyy-mm-ddThh:mm:ss] [INFO ] http-nio-5090-exec-66 70002985 100194 ###### c.v.vsphere.client.security.oauth2.Oauth2CodeResponseHandler Received an Oauth2 Authorization code. Processing it now for Auth Token and exchange...
    [yyyy-mm-ddThh:mm:ss] [ERROR] http-nio-5090-exec-66 70002985 100194 ###### c.v.vsphere.client.security.oauth2.Oauth2CodeResponseHandler Oauth2 Authorization code assertion failed java.lang.NullPointerException: oauth2 authorization code cannot be null
     at org.apache.commons.lang3.Validate.notNull(Validate.java:225)
     at com.vmware.vsphere.client.security.oauth2.Oauth2CodeResponseHandler.acquireAuthTokenByCode(Oauth2CodeResponseHandler.java:129)
     at com.vmware.vsphere.client.security.oauth2.Oauth2CodeResponseHandler.handleRequest(Oauth2CodeResponseHandler.java:74)
     at org.springframework.web.context.support.HttpRequestHandlerServlet.service(HttpRequestHandlerServlet.java:67)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
     at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl$LegacyServlet.service(HttpServiceRuntimeImpl.java:1256)
     at org.eclipse.equinox.http.servlet.internal.registration.EndpointRegistration.service(EndpointRegistration.java:153)
     at org.eclipse.equinox.http.servlet.internal.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:50)
     at com.vmware.o6jia.context.web.filter.WelcomeFileFilter.doFilter(WelcomeFileFilter.java:48)
     at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl$LegacyFilterFactory$LegacyFilter.doFilter(HttpServiceRuntimeImpl.java:1215)
     at org.eclipse.equinox.http.servlet.internal.registration.FilterRegistration.doFilter(FilterRegistration.java:121)

  • SSOAdminserver.log
    -------------------------------
    yyyy-mm-ddThh:mm:ss INFO ssoAdminServer[91:pool-2-thread-4] [OpId=b9e83ea2-b452-45ec-8e4d-c9ea1caf5f46] [com.vmware.vim.vmomi.core.types.impl.VmodlContextImpl] Package com.vmware.vim.binding.lookup loaded in 134 millis
    yyyy-mm-ddThh:mm:ss ERROR ssoAdminServer[91:pool-2-thread-4] [OpId=b9e83ea2-b452-45ec-8e4d-c9ea1caf5f46] [com.vmware.vcenter.tokenservice.providers.LSEndpointProviderImpl] Unable to get endpoint from lookup service; serviceType: (lookup.ServiceType) {
       dynamicType = null,
       dynamicProperty = null,
       product = com.vmware.trustmanagement,
       type = trustmanagement
    }, endPointType: (lookup.EndpointType) {
       dynamicType = null,
       dynamicProperty = null,
       protocol = vapi.json.https,
       type = com.vmware.trustmanagement.vapi
    }
    java.lang.Exception: No services found
     at com.vmware.vcenter.tokenservice.providers.LSEndpointProviderImpl.get(LSEndpointProviderImpl.java:73) [tokenservice-server-7.0.0.jar:?]
     at com.vmware.vcenter.tokenservice.clients.TrustManagementClient.getTrustManagementApiEndpoint(TrustManagementClient.java:132) [tokenservice-server-7.0.0.jar:?]
     at com.vmware.vcenter.tokenservice.clients.TrustManagementClient.getStubContext(TrustManagementClient.java:72) [tokenservice-server-7.0.0.jar:?]
     at com.vmware.vcenter.tokenservice.jit.ForeignTrustIdentityStoreData$ForeignTrustIdentityStoreDataEx.getUpnSuffixes(ForeignTrustIdentityStoreData.java:107) [tokenservice-server-7.0.0.jar:?]
     at com.vmware.identity.admin.server.ims.impl.DomainManagementImpl.getDomains(DomainManagementImpl.java:337) [sso-adminserver-7.0.0.jar:?]
     at com.vmware.identity.admin.vlsi.DomainManagementServiceImpl$4.call(DomainManagementServiceImpl.java:184) [sso-adminserver-7.0.0.jar:?]
     at com.vmware.identity.admin.vlsi.DomainManagementServiceImpl$4.call(DomainManagementServiceImpl.java:170) [sso-adminserver-7.0.0.jar:?]
     at com.vmware.identity.admin.vlsi.util.VmodlEnhancer.invokeVmodlMethod(VmodlEnhancer.java:186) [sso-adminserver-7.0.0.jar:?]
     at com.vmware.identity.admin.vlsi.DomainManagementServiceImpl.getDomains(DomainManagementServiceImpl.java:170) [sso-adminserver-7.0.0.jar:?]



Environment

VMware vCenter Server 7.0.x

Cause

  • The ADFS application group is configured incorrectly.
  • In the ADFS application group WebAPI section the Relying party Identifier should be configured with "Client Identifier" and not REDIRECT URIs
  • If in ADFS application group WebAPI section the Relying party Identifier is not configured with "Client Identifier", it will make the ADFS not to trust the request.

Resolution

  • Correct the ADFS application group WebAPI section

  • Go to ADFS Server -> Application Groups -> General -> Server Application 
    • Note the Client Id from the "General" tab (Highlighted in Green)


  • Go to ADFS Server -> Application Groups -> General -> Web API

  • Make sure that Relying party Identifier is configured with the "Client Identifier" noted above


    • Note: In the above two images, the client id is just an example and does match exactly. However, in the correct environment, they should be matching.



Additional Information

 AD user logins to vCenter will be impacted



Powered by Wolken Software