Domain user authentication to vCenter via PowerCLI is failing when Multi-Factor Authentication (MFA) is enabled on ADFS.
Article ID: 387932
Updated On:
Products
Issue/Introduction
When vCenter is configured to use Active Directory Federation Services (ADFS) as the identity provider and Multi-Factor Authentication (MFA) is enabled on the ADFS server, domain users are unable to authenticate to vCenter through PowerCLI.
Authentication fails with "Invalid username or password".
Environment
VMware vCenter Server 7.x
VMware vCenter Server 8.x
Cause
This is an expected behavior.
When MFA is enforced on an ADFS server, Connect-VIServer cmdlet expects a SAML token to authenticate a domain user.
Resolution
When MFA is enforced on ADFS server, New-OauthSecurityContext cmdlet is needed to login to the ADFS server and get an OAuth token.
Then, New-VISamlSecurityContext cmdlet is needed to translate the OAuth token to SAML token.
Once the SAML token is generated, Connect-VIServer can authenticate the domain user with the SAML token.
Connect to a vCenter Server System Configured for an External Identity Provider
Please follow the below steps to generate the required tokens:
1) Validate if the domain users are able to login to vCenter UI via MFA.
2) Add a native application for powercli within the vCenter’s application group in the ADFS server.
To do this, Double click on the vCenter’s app group -> Add Application -> Select Native Application.
In the “Add a new native application” dialogue box, specify the name as powercli-native, copy and save the client identifier, add the re-direction URL as http://localhost:8844/auth and click finish.
3) In vCenter’s application group, Select the Web API -> Edit
Navigate to Identifiers tab -> Add the copied client identifier from the native application creation from step 2 under Relying party Identifiers tab.
Navigate to Client Permissions tab -> Add -> powercli-native.
Ensure powercli-native is selected under client permissions and check both allatclaims and openid.
Apply and finish.
4) To connect via PowerCLI, save the below script, modify as per the environment and execute it.
$VCenterServer = 'vCenter_FQDN'
$TokenEndpointURL = 'https://ADFS_FQDN/adfs/oauth2/token/'
$AuthEndpointURL = 'https://ADFS_FQDN/adfs/oauth2/authorize/'
$RedirectURL = 'http://localhost:8844/auth'
$ClientID = 'Enter powercli-native client-ID here'
$OAuth = $null
$Saml = $null
$Conn = $null
if ( !$OAuth ) { $OAuth = New-OAuthSecurityContext -TokenEndpointUrl $TokenEndpointURL -AuthorizationEndpointUrl $AuthEndpointURL -RedirectUrl $RedirectURL -ClientId $ClientID }
if ( !$Saml ) { $Saml = New-VISamlSecurityContext -VCenterServer $VCenterServer -OAuthSecurityContext $OAuth -IgnoreSslValidationErrors }
if ( !$Conn ) { $Conn = Connect-VIServer -Server $VCenterServer -SamlSecurityContext $Saml }Additional Information
Reference documents:
New-OAuthSecurityContext: https://developer.broadcom.com/powercli/latest/vmware.vimautomation.common/commands/new-oauthsecuritycontext/#Password
New-VISamlSecurityContext: https://developer.broadcom.com/powercli/latest/vmware.vimautomation.core/commands/new-visamlsecuritycontext/#OAuth2SecurityContext
Connect-VIServer: https://developer.broadcom.com/powercli/latest/vmware.vimautomation.core/commands/connect-viserver/#SamlSecurityContext
Feedback
