ADFS Authentication fails with Entra ID on vCenter Server in hybrid setup / Alternative UPN / UPN and sAMAccountName Mismatch
search cancel

ADFS Authentication fails with Entra ID on vCenter Server in hybrid setup / Alternative UPN / UPN and sAMAccountName Mismatch

book

Article ID: 386653

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

If a user account has a different name in the on-prem AD vs. Entra ID (Azure), authentication will fail if the standard process for setting up ADFS with Entra ID (KB 322179) is followed.

i.e. if the user's UPN is "[email protected]" but the sAMAccountName for the user is "domain2\user", authentication will fail.

Cause

This is expected behavior as using an account where the UPN and sAMAccountName differ is not a supported configuration.

Resolution

While this configuration is not supported as configured, it is possible to work around the issue by creating custom UPN Claim Rules.  Please note that this configuration is outside of Broadcom support scope and further assistance can be pursued through AD administrators or Microsoft support. 

Community Article: https://community.broadcom.com/vmware-cloud-foundation/discussion/adfs-authentication-issue-with-alternative-upn-domain