Unable to authenticate to vCenter with Azure AD users when vCenter is configured to use a proxy. Access fails with error "Access denied. Unable to authenticate the user"
Article ID: 371955
Updated On:
Products
Issue/Introduction
Symptoms:
- Able to query the Azure domain from Users and Groups section.
- Able to assign Azure AD users permissions in vCenter.
- vCenter is configured with a proxy.
- Able to connect to the Azure via curl from the vCenter.
curl -vvv https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0/.well-known/openid-configuration --proxy xxx.xx.xxx.xx:xx
- You find a similar error in the
federation-service.log
/var/log/vmware/vc-ws1a-broker/federation-service.log
2024-06-26T13:48:18,151 ERROR vcenter.example.com:federation (vert.x-eventloop-thread-7) [-;-;-;-;-;-] com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationBaseService - Unable to load JWK keys io.netty.channel.ConnectTimeoutException: connection timed out: login.microsoftonline.com/xx.xxx.xx.xx:443 at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe$1.run(AbstractNioChannel.java:261) at io.netty.util.concurrent.PromiseTask.runTask(PromiseTask.java:98) at io.netty.util.concurrent.ScheduledFutureTask.run(ScheduledFutureTask.java:153) at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:174) at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:167) at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:470) at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:569) at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Unknown Source)
Environment
VMware vCenter Server 8.0.2
Cause
A known issue where vCenter's Identity Source Federation service does not utilize the configured proxy settings on vCenter to communicate with Azure.
Resolution
This issue will be addressed in a future release of vCenter.
Workaround:
Allow outbound vCenter traffic with Azure Entra.
Feedback
