"[400] An error occurred while sending an authentication request" while logging in to vSphere Client using the vCenter Server shortname
search cancel

"[400] An error occurred while sending an authentication request" while logging in to vSphere Client using the vCenter Server shortname

book

Article ID: 318196

calendar_today

Updated On: 03-17-2025

Products

VMware vCenter Server

Issue/Introduction

  • Logging onto vSphere Client using the vCenter Server shortname results in the following error:
[400] An error occurred while sending an authentication request to the vCenter Single Sign-On server- An error occurred when processing meta data during vCenter Single Sign-On setup: the service provider validation failed. Verify that the server URL is correct and is in FQDN format, or that the hostname is a trusted service provider alias.
 
  • Issue is not observed while using the Fully Qualified Domain Name (FQDN) or IP address resolve reverse to the FQDN of the vCenter Server
  • After replacing the Machine SSL certificate, the vSphere client will not load when using an alias for the vCenter name. Although this is not common, some administrators will use an alias instead of the vCenter hostname or IP to log into the vCenter.

Environment

VMware vCenter Server 7.x

Cause

Some things to look at:

1. There are DNS forward and reverse records referring to the alias.

2. The alias is listed on the new certificate as one of the DNS entries under the Subject Alternative Name.

3. The /etc/vmware/vsphere-ui/webclient.properties file has the alias whitelisted and the following section is not commented out:

     sso.serviceprovider.alias.whitelist=<aliasFQDN> 

     Where <aliasFQDN> is the alias that is used for the vCenter without the <> marks.

4. Check the ownership of the webclient.properties file. It should be owned by vsphere-ui. If it is owned by root, the vSphere client will not load.

Resolution


This is an expected behavior.

VMware vSphere 7.0 enforce FQDN or IP address reverse resolvable to FQDN to allow authentication for Single-Sign on.
  1. Add DNS records where applicable.

  2. If the alias is missing the the Subject Alternative Name, re-issue certificates with the alias in the SAN.

  3. Uncomment the sso.serviceprovider.alias.whitelist= and add the alias after the = sign.

    To enable short name access to vCenter, add the desired shortname in webclient.properties file.
    Note: Ensure you have a backup of vCenter Server Appliance (vcsa) before making any changes.

    Log in to the vCenter Server via SSH/PuTTY session as root, and enable shell 
    1. Stop the vSphere client service using below command:
      service-control --stop vsphere-ui

    2. Navigate to the vsphere-ui location to edit webclient.properties

      cd /etc/vmware/vsphere-ui/

    3. Before editing take a backup of webclient.properties  using below command:

      cp webclient.properties /var/tmp/webclient.properties.bak

    4. Add the desired shortname under the sso.serviceprovider.alias.whitelist
    • vi webclient.properties

    • Type i to enter insert mode

    • Remove the comment (#) for sso.serviceprovider.alias.whitelist=

    • Add the shortname (comma separated if there are multiple values)

    • Save and exit the VI editor by pressing Esc to exit insert mode, then wq!

      Example:

      sso.serviceprovider.alias.whitelist=vcsa70

     V. Start the vSphere client service.

        service-control --start vsphere-ui

      4. Run the command: "chown --reference=compatibility-matrix.xml webclient.properties" as the compatibility-matrix.xml is owned by the vsphere-ui account.

Additional Information

This issue is being checked by Diagnostics for VMware Cloud Foundation.

The check is as follows:

  • Product: vCenter
  • Log File: vsphere_client_virgo.log
  • Log Expression Check "did not pass validation. Check that the request URL is correct and in FQDN format"
Powered by Wolken Software