"Failed to create identity provider with IDP name Azure AD for tenant customer" error when configuring Microsoft Entra ID Federation on vCenter
Article ID: 375739
Updated On:
Products
Issue/Introduction
- Unable to add vCenter Server Identity Provider Federation for Microsoft Entra ID (formerly Azure AD)
- The UI throws up error "Failed to create identity provider with IDP name Azure AD for tenant customer".
- vCenter has a https proxy configured which has SSL interception enabled or using Palo Alto Networks Firewall Decrypt SSL policy profile.
trustmanagement-svcs.log:
#####-##-##T##:##:##.####Z [tomcat-exec-2 [] INFO com.vmware.vcenter.trustmanagement.authbroker.BrokerClient opId=] API request CREATE_IDENTITY_PROVIDER to url http://localhost:1080/external-vecs/http1/########/443/federation/t/customer/broker/identity-providers returned unexpected response code 400 and the following error information: {"errors":[{"code":"oidc.config.api.validation.error","message":"Failed to retrieve OIDC endpoints from configuration url: https://login.microsoftonline.com/########/v2.0/.well-known/openid-configuration.","parameters":{"configUrl":"https://login.microsoftonline.com/########/v2.0/.well-known/openid-configuration"}}]}####-##-##T##:##:##.###Z [tomcat-exec-2 [] ERROR com.vmware.vcenter.trustmanagement.authbroker.BrokerClient opId=] Failed to create identity provider with IDP name Azure AD for tenant customer on host ########
####-##-##T##:##:##.###Z [tomcat-exec-2 [] ERROR com.vmware.vcenter.trustmanagement.impl.AuthBrokerIdp opId=] Rolling back 1 operations after error creating IDP: Failed to create identity provider with IDP name Azure AD for tenant customer on host ########
####-##-##T:##:##.###Z [tomcat-exec-2 [] INFO com.vmware.vcenter.trustmanagement.authbroker.BrokerClient opId=] Deleted directory with ID ######### for tenant customer
####-##-##T##:##:##.###Z [tomcat-exec-2 [] ERROR com.vmware.vcenter.trustmanagement.migration.IdpReplacer opId=] Failed to create Auth Broker IDP
- The federation-service.log complains about the certificate while validating login.microsoftonline.com
####-##-##T##:##:##,### INFO ########:federation (federation-business-pool-9) [CUSTOMER; ######## ;127.0.0.1 ######## ;-;-] com.vmware.vidm.federation.broker.BrokerIdentityProvidersServiceImpl - Creating Broker identity provider for 'Azure AD'
####-##-##T##:##:##,###INFO ########:federation (vert.x-eventloop-thread-27) [-;-;-;-;-;-] org.bouncycastle.jsse.provider.ProvTlsClient - Client raised fatal(2) certificate_unknown(46) alert: Failed to process record org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
at org.bouncycastle.jsse.provider.ProvSSLEngine.checkServerTrusted(ProvSSLEngine.java:154)
at org.bouncycastle.jsse.provider.ProvTlsClient$1.notifyServerCertificate(ProvTlsClient.java:360)
at org.bouncycastle.tls.TlsUtils.processServerCertificate(TlsUtils.java:4834)
at org.bouncycastle.tls.TlsClientProtocol.handleServerCertificate(TlsClientProtocol.java:797)
at org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(TlsClientProtocol.java:687)
at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(TlsProtocol.java:711)
at org.bouncycastle.tls.TlsProtocol.processRecord(TlsProtocol.java:587)
at org.bouncycastle.tls.RecordStream.readFullRecord(RecordStream.java:207)
at org.bouncycastle.tls.TlsProtocol.safeReadFullRecord(TlsProtocol.java:922)
at org.bouncycastle.tls.TlsProtocol.offerInput(TlsProtocol.java:1364)
at org.bouncycastle.jsse.provider.ProvSSLEngine.unwrap(ProvSSLEngine.java:481)
at java.base/javax.net.ssl.SSLEngine.unwrap(Unknown Source)
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:309)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1441)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1334)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1383)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireChannelRead(CombinedChannelDuplexHandler.java:436)
at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:253)
at io.netty.handler.proxy.HttpProxyHandler$HttpClientCodecWrapper.channelRead(HttpProxyHandler.java:281)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
####-##-##T##:##:##,###WARN ########:federation (vert.x-eventloop-thread-27) [-;-;-;-;-;-] com.vmware.vidm.common.async.RetryCompletableFuture - Failed after max retries: 0 java.util.concurrent.CompletionException: javax.net.ssl.SSLHandshakeException: Failed to create SSL connection
at java.base/java.util.concurrent.CompletableFuture.encodeRelay(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture.completeRelay(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture$UniRelay.tryFire(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture.postComplete(Unknown Source)
Caused by: java.security.cert.CertificateException: No issuer certificate for certificate in certification path found.
at org.bouncycastle.jsse.provider.ProvX509TrustManager.validateChain(ProvX509TrustManager.java:318)
at org.bouncycastle.jsse.provider.ProvX509TrustManager.checkTrusted(ProvX509TrustManager.java:273)
at org.bouncycastle.jsse.provider.ProvX509TrustManager.checkServerTrusted(ProvX509TrustManager.java:188)
at org.bouncycastle.jsse.provider.ProvSSLEngine.checkServerTrusted(ProvSSLEngine.java:150)
- The certificates and the chain for login.microsoftonline.com has been published to the vCenter Certificate Management TRUSTED_ROOTS store
Environment
vCenter 8
Cause
VIDB (vc-ws1a-broker) service that communicates with Azure AD / Microsoft Entra ID is an independent service that runs in a container inside vCenter server and is not fully integrated with VECS. Adding the certificate to TRUSTED_ROOTS doesn't help the VIDB to trust that endpoint.
Resolution
Add the SSL interceptor Certificate Authority certificate(s) of the proxy or Palo Alto Networks to the keystore used by vCenter VIDB (vc-ws1a-broker) service.
vcsa# keytool -noprompt -storepass <store password> -import -trustcacerts -file "<location to cert file on disk>" -alias <some alias> -keystore "path to the store"
Note1
The hash value will differ across deployments and the JRE version varies based on vCenter version.
vcsa# /storage/containers/vc-ws1a-broker/<HASH>/rootfs/usr/local/jre-17.0.10/lib/security/cacerts
eg :
vcsa# keytool -noprompt -storepass <store password> -import -trustcacerts -file <path to certs> -alias MSFT -keystore /storage/containers/vc-ws1a-broker/########/rootfs/usr/local/jre-17.0.10/lib/security/cacerts
Note2
The complete chain must be added.
vcsa# cat domain.der intermediate.der root.der >> chain.crt
Restart the service:
vcsa# service-control --restart vc-ws1a-broker
Feedback
