Unable to login to VCSA using UPN that is different than the initial UPN used for configuring ADFS, the ADFS integrated authentication fails with “no roles assigned”.
search cancel

Unable to login to VCSA using UPN that is different than the initial UPN used for configuring ADFS, the ADFS integrated authentication fails with “no roles assigned”.

book

Article ID: 340387

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

  • When logging into the vCenter using AD credentials such as [email protected] getting an error: Invalid username (no redirection to ADFS occurs).
  • Login works with the domain FQDN that was initially used for configuring the ADFS (example: domain.local).
  • /var/log/vmware/sso/websso.log on vCenter server:
INFO websso[70:tomcat-http--40]    [CorId=63xxd7fe-c47x-4b93-bd2d-xxxxe86f280][com.vmware.identity.idm.server.IdentityManager] Authentication failed for user [[email protected]] in tenant [vsphere.local] in [122] milliseconds with provider [ads.domain.com] of type [com.vmware.identity.idm.server.provider.activedirectory.ActiveDirectoryProvider]

ERROR websso[70:tomcat-http--40]  [CorId=63xxd7fe-c47x-4b93-bd2d-xxxxe86f280][com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.IDMLoginException: Native platform error [code: 851968][null][null]'

INFO websso[70:tomcat-http--40]  [CorId=63xxd7fe-c47x-4b93-bd2d-xxxxe86f280] [auditlogger] {"user":"[email protected]","client":"2001:67c:17b0:17x0::ffd2","timestamp":"MM/DD/YYYY HH:MM:SS GMT","description":"User [email protected]@200x:xxc:1xb0:xx10::ffx2 failed to log in with response code 401","eventSeverity":"INFO","type":"com.vmware.sso.LoginFailure"}

Environment

vCenter Server 7.0.x

Cause

UPN and domain name should be same.

Resolution

This is a known issue and currently, there is no resolution.

Workaround:


1. Find and edit the application group in the AD FS Management console.

2. Edit the Web API application.

3. Select the Issuance Transform Rules tab.

4. Remove the existing UPN claim rule that mapped the "User-Principal-Name" LDAP Attribute to the "UPN" Outgoing Claim Type.

5. Add a new Issuance Transform Rule and select "Transform an Incoming Claim".

6. Enter any name for the new rule.

7. Select "UPN" for the incoming and outgoing claim types.

8. Select "Replace incoming e-mail suffix claims with a new e-mail suffix".

9. Enter the name of the domain that corresponds with the ADFS identity provider configuration in vCenter. (Use the exact domain that wants to be used for authentication).

10. Click Finish to save the rule.

11. Use URI: <VCSA_FQDN>/ui/login/oauth2  eg: VCSA1/ui/login/oauth2 

 

 

Powered by Wolken Software