Azure Entra ID Users cannot log in to vCenter if they are a member of a group with a different domain
search cancel

Azure Entra ID Users cannot log in to vCenter if they are a member of a group with a different domain

book

Article ID: 371478

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Any Azure user that is part of one domain and a member of a group with a different domain to it cannot log in to the vCenter even if the group has the Administrator role assigned to it.

The following error is observed in vsphere_client_virgo.log in /var/log/vmware/vsphere-ui/logs/:

[2024-05-15T16:03:43.807+02:00] [WARN ] im-authentication-pool-73777 70085232 103504 200252 com.vmware.vsphere.client.security.VimAuthenticationHandler       Login to vCenter Server https://Domain.com:443/sdk failed with NoPermission error for user - null
[2024-05-15T16:03:43.807+02:00] [INFO ] -nio-127.0.0.1-5090-exec-995 70085232 103504 200252 com.vmware.vsphere.client.security.VimAuthenticationHandler       LinkedVcGroupRegistry login complete 103504
[2024-05-15T16:03:43.807+02:00] [ERROR] -nio-127.0.0.1-5090-exec-995 70085232 103504 200252 com.vmware.vise.security.spring.DefaultAuthenticationProvider     Authentication failure com.vmware.vise.security.

 

Environment

vCenter 8.0 U2

Cause

The domains of the groups in the vCenter SAML tokens always match the domain of the user for which the token was generated.

If one of the groups has a different domain than the user, then it would still get added to the vCenter SAML token.

This leads to it getting added with the domain of the user, not the actual domain of the group.

For example user [email protected] is a member of [email protected] and [email protected], then test would get a vCenter SAML token with both of these groups, but they would get added with only the ext.vmware.com domain.

The vCenter SAML token would contain a group called [email protected] even though the actual group name is [email protected]. If permissions had been previously assigned for this [email protected], then the group UPN in the vCenter SAML token would not match this permission and you would get authorization errors in vCenter.

Resolution

This issue is resolved in vCenter 8.0 U3

Powered by Wolken Software