Attempting to login to vCenter Server using ADFS fails. The following error is displayed on the vSphere Web Client:





* Users from different AD groups can login successfully, however all users from a particular AD group cannot login.

* KB Error "Unable to login because you do not have permissions on any vCenter Server" in vSphere Client while using ADFS has been followed and has been verified to not be the cause. 

* Verify KB has been followed and verified:
How to enable OpenID Connect in ADFS 2016 for vCenter Server

* Verify the AD group has been added to the SSO Administrators group, eg:

vCenter Server 7.0

vCenter Server 8.0

Checking the JWT token returned from ADFS does not show the AD group that the user logging into vCenter is part of.:

NOTE: To extract the group information from the JWT token please see:
"How to translate the token by using token ID on the website"
vmware.com/docs/vmware-adfs-integration-troubleshooting-common-issues

In the purpose of this KB, there is an AD user that is part of four AD groups:

Domain Users
Example
ExampleONE
ExampleTWO


The AD group Example has been added to the SSO Administrators group in vCenter and the AD user that is failing to log in is part of that group (as well as AD groups ExampleONE, Domain Users & ExampleTWO but they are not added to SSO Administrators group).


Looking at the translated JWT token, the AD group "Example" is not being returned in the token:

"upn": "user@example.local",
  "group": [
    "example.local\\Domain Users",
    "example.local\\ExampleTWO",
    "example.local\\ExampleONE"
                ]


This can happen if the AD group scope has been configured as a local group:




Local groups do not work because they are not included in the token issued by ADFS.

* Recreate the AD group.

* Add the AD user to one of the AD groups returned in the JWT token.