"Failed to create identity provider with IDP name Azure AD for tenant customer" error when configuring Microsoft Entra ID Federation on vCenter
Article ID: 375739
Updated On:
Products
VMware vCenter Server 8.0
VMware vCenter Server
Issue/Introduction
- Unable to add vCenter Server Identity Provider Federation for Microsoft Entra ID (formerly Azure AD) _ Reference Configure vCenter Server Identity Provider Federation for Microsoft Entra ID
- The UI has the below error
Failed to create identity provider with IDP name Azure AD for tenant customer - The certificates and the chain for login.microsoftonline.com has been published to the vCenter Certificate Management TRUSTED_ROOTS store
- vCenter has a https proxy configured which has SSL interception enabled or using Palo Alto Networks Firewall Decrypt SSL policy profile.
- Error in /var/log/vmware/trustmanagement/trustmanagement-svcs.log
[tomcat-exec-2 [] INFO com.vmware.vcenter.trustmanagement.authbroker.BrokerClient opId=] API request CREATE_IDENTITY_PROVIDER to url http://localhost:1080/external-vecs/http1/########/443/federation/t/customer/broker/identity-providers returned unexpected response code 400 and the following error information: {"error s":[{"code":"oidc.config.api.validation.error","message":"Failed to retrieve OIDC endpoints from configuration url: https://login.microsoftonline.com/########/v2.0/.well-known/openid-configuration.","parameters":{"configUrl":"https://login.microsoftonline.com/########/v2.0/.well-known/openid-configuration"}}]} [tomcat-exec-2 [] ERROR com.vmware.vcenter.trustmanagement.authbroker.BrokerClient opId=] Failed to create identity provider with IDP name Azure AD for tenant customer on host ######## [tomcat-exec-2 [] ERROR com.vmware.vcenter.trustmanagement.impl.AuthBrokerIdp opId=] Rolling back 1 operations after error creating IDP: Failed to create identity provider with IDP name Azure AD for tenant customer on host ######## [tomcat-exec-2 [] INFO com.vmware.vcenter.trustmanagement.authbroker.BrokerClient opId=] Deleted directory with ID ######### for tenant customer [tomcat-exec-2 [] ERROR com.vmware.vcenter.trustmanagement.migration.IdpReplacer opId=] Failed to create Auth Broker IDP - Error in /var/log/vmware/vc-ws1a-broker/federation-service.log
INFO ########:federation (federation-business-pool-9) [CUSTOMER; ######## ;127.0.0.1 ######## ;-;-] com.vmware.vidm.federation.broker.BrokerIdentityProvidersServiceImpl - Creating Broker identity provider for 'Azure AD' INFO ########:federation (vert.x-eventloop-thread-27) [-;-;-;-;-;-] org.bouncycastle.jsse.provider.ProvTlsClient - Client raised fatal(2) certificate_unknown(46) alert: Failed to process record org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46) at org.bouncycastle.jsse.provider.ProvSSLEngine.checkServerTrusted(ProvSSLEngine.java:154) at org.bouncycastle.jsse.provider.ProvTlsClient$1.notifyServerCertificate(ProvTlsClient.java:360) at org.bouncycastle.tls.TlsUtils.processServerCertificate(TlsUtils.java:4834) at org.bouncycastle.tls.TlsClientProtocol.handleServerCertificate(TlsClientProtocol.java:797) at org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(TlsClientProtocol.java:687) at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(TlsProtocol.java:711) at org.bouncycastle.tls.TlsProtocol.processRecord(TlsProtocol.java:587) at org.bouncycastle.tls.RecordStream.readFullRecord(RecordStream.java:207) at org.bouncycastle.tls.TlsProtocol.safeReadFullRecord(TlsProtocol.java:922) at org.bouncycastle.tls.TlsProtocol.offerInput(TlsProtocol.java:1364) at org.bouncycastle.jsse.provider.ProvSSLEngine.unwrap(ProvSSLEngine.java:481) at java.base/javax.net.ssl.SSLEngine.unwrap(Unknown Source) at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:309) at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1441) at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1334) at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1383) at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529) at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468) at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireChannelRead(CombinedChannelDuplexHandler.java:436) at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:253) at io.netty.handler.proxy.HttpProxyHandler$HttpClientCodecWrapper.channelRead(HttpProxyHandler.java:281) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) WARN ########:federation (vert.x-eventloop-thread-27) [-;-;-;-;-;-] com.vmware.vidm.common.async.RetryCompletableFuture - Failed after max retries: 0 java.util.concurrent.CompletionException: javax.net.ssl.SSLHandshakeException: Failed to create SSL connection at java.base/java.util.concurrent.CompletableFuture.encodeRelay(Unknown Source) at java.base/java.util.concurrent.CompletableFuture.completeRelay(Unknown Source) at java.base/java.util.concurrent.CompletableFuture$UniRelay.tryFire(Unknown Source) at java.base/java.util.concurrent.CompletableFuture.postComplete(Unknown Source) Caused by: java.security.cert.CertificateException: No issuer certificate for certificate in certification path found. at org.bouncycastle.jsse.provider.ProvX509TrustManager.validateChain(ProvX509TrustManager.java:318) at org.bouncycastle.jsse.provider.ProvX509TrustManager.checkTrusted(ProvX509TrustManager.java:273) at org.bouncycastle.jsse.provider.ProvX509TrustManager.checkServerTrusted(ProvX509TrustManager.java:188) at org.bouncycastle.jsse.provider.ProvSSLEngine.checkServerTrusted(ProvSSLEngine.java:150)
Environment
vCenter server 8
Cause
VIDB (vc-ws1a-broker) service that communicates with Azure AD / Microsoft Entra ID is an independent service that runs in a container inside vCenter server and is not fully integrated with VECS. Adding the certificate to TRUSTED_ROOTS doesn't help the VIDB to trust that endpoint.
Resolution
Add the SSL interceptor Certificate Authority certificate(s) of the proxy or Palo Alto Networks to the keystore used by vCenter VIDB (vc-ws1a-broker) service.
vcsa# keytool -noprompt -storepass changeit -import -trustcacerts -file "<location to cert file on disk>" -alias <some alias> -keystore "path to the store"
Note
The hash value will differ across deployments and the JRE version varies based on vCenter version.
vcsa# /storage/containers/vc-ws1a-broker/<HASH>/rootfs/usr/local/jre-17.0.10/lib/security/cacerts
eg :
keytool -noprompt -storepass changeit -import -trustcacerts -file <path to certs> -alias MSFT -keystore /storage/containers/vc-ws1a-broker/########/rootfs/usr/local/jre-17.0.10/lib/security/cacerts
Note2
The complete chain must be added.
vcsa# cat domain.der intermediate.der root.der >> chain.crt
Restart the service:
vcsa# service-control --restart vc-ws1a-broker
Feedback
Yes
No
Powered by
