Microsoft Entra ID Authentication Fails with "Access denied. Unable to authenticate the user."
search cancel

Microsoft Entra ID Authentication Fails with "Access denied. Unable to authenticate the user."

book

Article ID: 385106

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

After configuring Microsoft Entra ID Authentication users may receive an "Access denied. Unable to authenticate the user." error when attempting to authenticate using Microsoft Entra ID (formerly Azure AD). You may still be able to configure permissions on vCenter for the affected users despite the log in failure.

Symptoms:

You find a similar error in the federation-service.log

/var/log/vmware/vc-ws1a-broker/federation-service.log

YYYY-MM-DDTHH:MM:SS INFO  vcenter.yourdomain.com:federation (federation-business-pool-0) [CUSTOMER;-;IP.XX.XX.XX;XXXXXXXX-TASK-UUID-XXXXXXXXXXXX;-;XXXXXXXX-USER-LOGIN-UUID-XXXXXXXXXXXX] com.vmware.vidm.federation.utils.MetricsPublisherUtil - OIDC authentication successful
YYYY-MM-DDTHH:MM:SS INFO  vcenter.yourdomain.com:federation (federation-business-pool-0) [CUSTOMER;-;IP.XX.XX.XX;XXXXXXXX-TASK-UUID-XXXXXXXXXXXX;-;XXXXXXXX-USER-LOGIN-UUID-XXXXXXXXXXXX] com.vmware.vidm.federation.login.processor.AuthResponseUserResolver - Fetching user for jit login context: XXXXXXXX-USER-LOGIN-UUID-XXXXXXXXXXXX on attribute ExternalId=XXXXXXXX-EXTERNALID-XXXX-XXXXXXXXXXXX, domains: [yourdomain.com]
YYYY-MM-DDTHH:MM:SS WARN  vcenter.yourdomain.com:federation (ForkJoinPool-2-worker-145) [CUSTOMER;-;IP.XX.XX.XX;XXXXXXXX-TASK-UUID-XXXXXXXXXXXX;-;XXXXXXXX-USER-LOGIN-UUID-XXXXXXXXXXXX] com.vmware.vidm.federation.login.processor.AuthResponseUserResolver - User fetching exception with nameId XXXXXXXX-EXTERNALID-XXXX-XXXXXXXXXXXX, nameIdFormat ExternalId, and domains [yourdomain.com], user not found
YYYY-MM-DDTHH:MM:SS INFO  vcenter.yourdomain.com:federation (federation-business-pool-0) [CUSTOMER;-;IP.XX.XX.XX;XXXXXXXX-TASK-UUID-XXXXXXXXXXXX;-;XXXXXXXX-USER-LOGIN-UUID-XXXXXXXXXXXX] com.vmware.vidm.federation.login.LoginEventServiceAspect - Failing login. contextUuid: XXXXXXXX-USER-LOGIN-UUID-XXXXXXXXXXXX, exception: com.vmware.vidm.federation.login.AccessDeniedException: Access denied with reason code: USER_NOT_FOUND, isAuthenticationForced: false
YYYY-MM-DDTHH:MM:SS INFO  vcenter.yourdomain.com:federation (federation-business-pool-0) [CUSTOMER;-;IP.XX.XX.XX;XXXXXXXX-TASK-UUID-XXXXXXXXXXXX;-;XXXXXXXX-USER-LOGIN-UUID-XXXXXXXXXXXX] com.vmware.vidm.federation.utils.MetricsPublisherUtil - Login failed due to reason: USER_NOT_FOUND

 

Environment

  • vSphere 8.0 or later
  • Microsoft Entra ID configured for vCenter authentication
  • Environment using Microsoft Entra Application Proxy
  • Configuring a New Microsoft Entra ID for vCenter authentication

Cause

When Enabling Entra ID for vCenter Server the SCIM User attributes may be synced prior to them being mapped correctly.

Resolution

We need to clear the Entra ID configuration, and re-add it to allow the authentication of the users.

  1. Log into the vSphere Client using the local administrator account ([email protected])
  2. Navigate to Administration > Single Sign On > Configuration
  3. Click the "CHANGE PROVIDER" control
  4. Select "Other Providers"
  5. Select "Embedded" (This step effectively removes the existing provider configuration)
  6. Re-add the Microsoft Entra ID provider with the following information:
    1. Microsoft identifier from the Azure portal
    2. Shared secret from Azure
    3. OpenID configuration URL
  7. If using SCIM provisioning, generate a new SCIM token
  8. Test the connection by:
    1. Opening an incognito/private browser window
    2. Accessing vCenter
    3. Selecting SSO authentication
    4. Verifying successful redirection to Entra ID

Additional Information

  • This resolution preserves existing SCIM provisioning settings
  • The procedure can be performed while SCIM provisioning remains active
  • For detailed steps on initial Entra ID configuration, refer to : How to Enable Entra ID for vCenter Server
Powered by Wolken Software