/var/log/vmware/sso/tokenservice.log
YY-MM-DDTHH:MM:SS ERROR tokenservice[66:tomcat-http--28] [CorId=<UUID> OpId=] [com.vmware.vcenter.tokenservice.vapi.TokenExchangeProviderImpl] Exchange failed due to invalid grant:
com.vmware.vcenter.tokenservice.exceptions.InvalidGrant: User UPN in access token ({Name:
<domain-user-name>
, Domain: example1.com
}) does not match user UPN in id token ({Name: <domain-user-name>
, Domain: example2.com
}).
YY-MM-DDTHH:MM:SS
ERROR tokenservice[80:tomcat-http--42] [CorId=<UUID>
OpId=] [com.vmware.vcenter.tokenservice.vapi.TokenExchangeProviderImpl] Exchange failed due to invalid grant:com.vmware.vcenter.tokenservice.exceptions.InvalidGrant: User UPN in access token ({Name:
<domain-user-name>
, Domain:
}) does not match user UPN in id token ({Name: <domain-user-name>, Domain: example1.com
}
}).example2.com
}
Update the ADFS Custom Rule using below steps:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("custsAMAccountName"), query = ";sAMAccountName;{0}", param = c.Value);
c:[Type == "custsAMAccountName"] => add(Type = "custUPN", Value = c.Value + "@example1.com");
c:[Type == "custUPN"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value);
c:[Type == "custUPN"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Value = c.Value);