Following successful Azure SCIM provisioning access to vCenter fails when attempting to login using AD user Entra ID login
search cancel

Following successful Azure SCIM provisioning access to vCenter fails when attempting to login using AD user Entra ID login

book

Article ID: 383210

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

The AD user is a member of the Azure Group.
The Azure group has been provisioned to vCenter but the AD user is unable to login.

Unable to login because you do not have permission on any vCenter Server systems connected to this client


Environment

vCenter 8.u2 

Cause

The authenticating user is in domain [email protected] but the group provisioned in Azure is in the domain [email protected] 


If a user is in a different domain then it's group domain the user SSO login will not allow authentication and the error will be observed.

Example:


group domain -> [email protected]
user domain -> [email protected]


/var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log

Token is successfully acquired

[2024-11-26T11:21:29.225Z] [INFO ] p-nio-127.0.0.1-5090-exec-27 000000 000000 000000 00000 com.vmware.vsphere.client.security.sso.SsoAuthenticationHandler   [email protected] has clientId=123456. Use that clientId to track user activities below.
[2024-11-26T11:21:29.227Z] [INFO ] p-nio-127.0.0.1-5090-exec-27 000000 000000 123456 com.vmware.vsphere.client.security.sso.SsoAuthenticationHandler   SSO authentication successful for sessionId 111111, clientId 123456

[2024-11-26T11:21:29.408Z] [INFO ] agw-token-acq77              0000000 ###### 123456 com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl           Successfully acquired token for user: {Name: u1, Domain: user-domain.com}


User authentication then fails

[2024-11-26T11:21:29.425Z] [INFO ] im-authentication-pool-#### 000000 000000 123456 com.vmware.vise.vim.commons.vcservice.impl.LinkedVcGroupImpl      VC Login results:
Failed VCs: []
[2024-11-26T11:21:29.425Z] [ERROR] im-authentication-pool-#### 000000 000000 123456 com.vmware.vsphere.client.security.VimAuthenticationHandler       Connection failure to vc https://vcenterFQDN:443/sdk com.vmware.vim.binding.vim.fault.NoPermission: Permission to perform this operation was denied.

Resolution

Edit User provisioning in EntraID App

Step:-1 For sending domain Mark mapping type as constant.
Step:-2 Constant value will be group domain -> group-domain.com


Step:-3 Start user provisioning again & retry login

Additional Information

The above mapping in Entra App is sufficient. 
In vCenter the user can have a separate domain then the group and SSO login will work

Powered by Wolken Software