Domain user authentication to vCenter via PowerCLI is failing when Multi-Factor Authentication (MFA) is enabled on ADFS.
search cancel

Domain user authentication to vCenter via PowerCLI is failing when Multi-Factor Authentication (MFA) is enabled on ADFS.

book

Article ID: 387932

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • When vCenter is configured to use Active Directory Federation Services (ADFS) as the identity provider and Multi-Factor Authentication (MFA) is enabled on the ADFS server, domain users are unable to authenticate to vCenter through PowerCLI.

Authentication fails with "Invalid username or password".

Environment

  • VMware vCenter Server 7.x
  • VMware vCenter Server 8.x

Cause

  • This is expected behavior. When MFA is enforced on an ADFS server, the Connect-VIServer cmdlet expects a SAML token to authenticate a domain user.

Resolution

  • When MFA is enforced on an ADFS server, the New-OauthSecurityContext cmdlet is needed to login to the ADFS server and get an OAuth token. Then, the New-VISamlSecurityContext cmdlet is needed to translate the OAuth token to a SAML token. Once the SAML token is generated, Connect-VIServer can authenticate the domain user with the SAML token.

    Connect to a vCenter Server System Configured for an External Identity Provider
  • Please follow the below steps to generate the required tokens:

1) Validate if the domain users are able to login to vCenter UI via MFA.

2) Add a native application for powercli within the vCenter’s application group in the ADFS server.

   To do this, double-click on the vCenter’s app group -> Add Application -> Select Native Application.

   In the “Add a new native application” dialogue box, specify the name as powercli-native, copy and save the client identifier, add the redirection URL as http://localhost:8844/auth and click finish.


   
3) In vCenter’s application group, Select the Web API -> Edit

Navigate to the Identifiers tab -> Add the copied client identifier from the native application creation from step 2 under the Relying party Identifiers tab.

Navigate to Client Permissions tab -> Add -> powercli-native.

Ensure powercli-native is selected under client permissions and check both allatclaims and openid.

Apply and finish.

4) To connect via PowerCLI, save the below script, modify it as per the environment, and execute it.

   $VCenterServer = 'vCenter_FQDN'
   $TokenEndpointURL = 'https://ADFS_FQDN/adfs/oauth2/token/'
   $AuthEndpointURL = 'https://ADFS_FQDN/adfs/oauth2/authorize/'
   $RedirectURL = 'http://localhost:8844/auth'
   $ClientID = 'Enter powercli-native client-ID here'
   $OAuth = $null
   $Saml = $null
   $Conn = $null
   if ( !$OAuth ) { $OAuth = New-OAuthSecurityContext -TokenEndpointUrl $TokenEndpointURL -AuthorizationEndpointUrl $AuthEndpointURL -RedirectUrl $RedirectURL -ClientId $ClientID }
   if ( !$Saml ) { $Saml = New-VISamlSecurityContext -VCenterServer $VCenterServer -OAuthSecurityContext $OAuth -IgnoreSslValidationErrors }
   if ( !$Conn ) { $Conn = Connect-VIServer -Server $VCenterServer -SamlSecurityContext $Saml }

Additional Information

Reference documents:

New-OAuthSecurityContext

New-VISamlSecurityContext

Connect-VIServer

Note: A similar behavior is also observed in tools such as Dell RV Tools. For further assistance, please contact the respective vendor's support team.

 

Powered by Wolken Software