ADFS Identity Provider for vCenter Configuration Fails with InvalidArgumentException: java.io.IOException: Server returned HTTP response code: 503 errors
search cancel

ADFS Identity Provider for vCenter Configuration Fails with InvalidArgumentException: java.io.IOException: Server returned HTTP response code: 503 errors

book

Article ID: 369782

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Unable to make a connection on the necessary AD FS port. This may be the result of a firewall configuration or missing NAT rule if using NAT'ed IP addresses.
  • Errors similar to: 
     2025-05-14T13:22:19.028-06:00 [tomcat-exec-16 [] ERROR com.vmware.vcenter.trustmanagement.impl.TrustUtil  opId=] Unable to get metadata from discovery endpoint https://<adfs server>/adfs/.well-known/openid-configuration
java.io.IOException: Server returned HTTP response code: 503 for URL: http://localhost:1080/external-vecs/http1/<adfs server>/443/adfs/.well-known/openid-configuration
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1902) ~[?:1.8.0_412]

    Or

    [tomcat-exec-4 [] ERROR com.vmware.vcenter.trustmanagement.migration.IdentityMigration opId=] Error changing identity provider configuration: com.vmware.vcenter.trustmanagement.impl.InvalidArgumentException: java.io.IOException: Server returned HTTP response code: 526 for URL: http://localhost:1080/external-vecs/http1/<adfs server>/443/adfs/.well-known/openid-configuration com.vmware.vcenter.trustmanagement.impl.InvalidArgumentException: com.vmware.vcenter.trustmanagement.impl.InvalidArgumentException: java.io.IOException: Server returned HTTP response code: 526 for URL: http://localhost:1080/external-vecs/http1/<adfs server>/443/adfs/.well-known/openid-configuration at com.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.performDiscovery(VcIdentityProviders.java:2072) ~[libservice.jar:?]

 

Cause

  • Firewall or Security Appliance may prevent connection to AD FS server.
  • SSL/TLS configuration between the vCenter and the ADFS server.

Resolution

  • Verify network connectivity and/or add NAT or other rules to firewall or other security devices.
  • Use curl command to test connection to AD FS server similar to this. See, Using Curl to test port connectivity in VMware vCenter Server Appliance 
    root@xxxxxx [ ~ ]# curl -v https://<adfs server>/adfs/.well-known/openid-configuration
* Trying <IP address of adfs server>:443...
* Trying [##:####::####:####]:443...
* Immediate connect fail for ##:####::####:####: Cannot assign requested address
* connect to <IP address of adfs server> port 443 failed: Connection timed out
* Failed to connect to <adfs server> port 443 after 130005 ms: Couldn't connect to server
* Closing connection 0
curl: (28) Failed to connect to ####.###.## port 443 after 130005 ms: Couldn't connect to server

 

Please Note: This connection is a pre-requisite for AD FS Identity Provider configuration as per Configure vCenter Server Identity Provider Federation for AD FS VMware Documentation.

vCenter Server must be able to connect to the AD FS discovery endpoint, and the authorization, token, logout, JWKS, and any other endpoints advertised in the discovery endpoint metadata

 

Additional Information

  • The error (Server returned HTTP response code: 526) indicates that the system is trying to connect to the ADFS server at http://localhost:1080/external-vecs/http1/adfs.example.local/443/adfs/.well-known/openid-configuration.
  • The HTTP response code 526 indicates that there is a problem with SSL/TLS validation, often meaning the server is returning an invalid certificate or cannot establish a secure connection.

The issue was related to TLS configuration. The ADFS settings were reconfigured from Windows Server 2019 to Windows Server 2022.

Powered by Wolken Software