"InvalidGrant: User UPN in access token does not match user UPN in id token" ADFS authentication does not work for one of the UPN after VC patching to 8.0U2b
search cancel

"InvalidGrant: User UPN in access token does not match user UPN in id token" ADFS authentication does not work for one of the UPN after VC patching to 8.0U2b

book

Article ID: 377632

calendar_today

Updated On: 03-27-2025

Products

VMware vCenter Server 8.0

Issue/Introduction

  • Post vCenter Server got upgraded, out of two UPN, one UPN's domain users are unable to authenticate.

  • In vCenter Server, you will see the below log snippets in the location /var/log/vmware/sso/tokenservice.log

    YY-MM-DDTHH:MM:SS ERROR tokenservice[66:tomcat-http--28] [CorId=<UUID> OpId=] [com.vmware.vcenter.tokenservice.vapi.TokenExchangeProviderImpl] Exchange failed due to invalid grant:
    com.vmware.vcenter.tokenservice.exceptions.InvalidGrant: User UPN in access token ({Name: <domain-user-name>, Domain: example1.com}) does not match user UPN in id token ({Name: <domain-user-name>, Domain: example2.com}).

    YY-MM-DDTHH:MM:SS ERROR tokenservice[80:tomcat-http--42] [CorId=<UUID> OpId=] [com.vmware.vcenter.tokenservice.vapi.TokenExchangeProviderImpl] Exchange failed due to invalid grant:
    com.vmware.vcenter.tokenservice.exceptions.InvalidGrant: User UPN in access token ({Name: <domain-user-name>, Domain: example1.com}}) does not match user UPN in id token ({Name: <domain-user-name>, Domain: example2.com}}).

Resolution

Update the ADFS Custom Rule using below steps:

  1. Login to the ADFS Windows Server, in Server Manager click on Tools and then select AD FS Management
  2. In the console under AD FS, click on Application Groups > Web API
  3. Under Web API select the ADFS Web API and click on Edit
  4. Under Add Transform Claim Rule > Select Configure Claim Rule
  5. Subject Rule
    • Click Add Rule
    • Under Claim rule template, select the option Send Claims Using a Custom Rule
  6. Make sure these four claim rules are created as per below examples. The claim rule names can be chosen as desired.
      
    • Claim Rule 1:

      • c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => add(store = "Active Directory", types = ("custsAMAccountName"), query = ";sAMAccountName;{0}", param = c.Value);

    • Claim Rule 2:
      • c:[Type == "custsAMAccountName"] => add(Type = "custUPN", Value = c.Value + "@example1.com");

      • Note: Replace example1.com with respective domain name

    • Claim Rule 3:

      • c:[Type == "custUPN"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Value = c.Value);

    • Claim Rule 4:

      • c:[Type == "custUPN"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Value = c.Value);

  7. Retry the vCenter Authentication for both the UPN, you should be able to access the VC using domain users from both UPN.

 

Additional Information