ADFS Authentication fails with Entra ID on vCenter Server in hybrid setup / Alternative UPN / UPN and sAMAccountName Mismatch
search cancel

ADFS Authentication fails with Entra ID on vCenter Server in hybrid setup / Alternative UPN / UPN and sAMAccountName Mismatch

book

Article ID: 386653

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

If a user account has a different name in the on-prem AD vs. Entra ID (Azure), authentication will fail if the standard process for setting up ADFS with Entra ID (KB 322179) is followed.

i.e. if the user's UPN is "[email protected]" but the sAMAccountName for the user is "domain2\user", authentication will fail.

Cause

This is expected behavior as using an account where the UPN and sAMAccountName differ is not a supported configuration.

Resolution

While this configuration is not supported as configured, it is possible to work around the issue by creating custom UPN Claim Rules.  Note that this is not something which Broadcom Support will assist with configuring as it is outside the scope of support for our products.  Configuring custom ADFS Rules is your responsibility to understand and implement.  There are some resources online that cover the basics of what needs to be done, however if you need further assistance you will need to work with your AD team or reach out to Microsoft for support with the configuration process.

Community Article: https://community.broadcom.com/vmware-cloud-foundation/discussion/adfs-authentication-issue-with-alternative-upn-domain