Domain user authentication to vCenter via PowerCLI is failing when Multi-Factor Authentication (MFA) is enabled on supported external providers such as ADFS, EntraID or Ping
search cancel

Domain user authentication to vCenter via PowerCLI is failing when Multi-Factor Authentication (MFA) is enabled on supported external providers such as ADFS, EntraID or Ping

book

Article ID: 387932

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

When vCenter is configured to use a supported external identity and authentication provider such as ADFS, EntraID or Ping and Multi-Factor Authentication (MFA) is enabled, domain users are unable to authenticate to vCenter through PowerCLI.

Authentication fails with "Invalid username or password".

Environment

  • VMware vCenter Server 7.x
  • VMware vCenter Server 8.x

Cause

This is expected behavior. When MFA is enforced, the Connect-VIServer cmdlet expects a SAML token to authenticate a domain user on a supported external provider such as:

  • ADFS
  • EntraID
  • Ping

Resolution

When MFA is enforced on a supported external provider such as ADFS, EntraID or Ping, the New-OauthSecurityContext cmdlet is needed to login to the external server and get an OAuth token. Then, the New-VISamlSecurityContext cmdlet is needed to translate the OAuth token to a SAML token. Once the SAML token is generated, Connect-VIServer can authenticate the domain user with the SAML token.

Connect to a vCenter Server System Configured for an External Identity Provider

Follow the below steps to generate the required tokens:

    1. Validate if the domain users are able to login to vCenter UI via MFA.
    2. Add a native application for powerCLI within the vCenter’s application group in the external provider server.
      1. To do this, double-click on the vCenter’s app group -> Add Application -> Select Native Application.
      2. In the “Add a new native application” dialog box, specify the name as powercli-native, copy and save the client identifier, add the redirection URL as http://localhost:8844/auth and click finish.   
    3. In vCenter’s application group, Select the Web API -> Edit
      1. Navigate to the Identifiers tab -> Add the copied client identifier from the native application creation from step 2 under the Relying party Identifiers tab.
      2. Navigate to Client Permissions tab -> Add -> powercli-native.
      3. Ensure powercli-native is selected under client permissions and check both allatclaims and openid.
      4. Apply and finish.
    4. To connect via PowerCLI, save the below script, modify it as per the environment, and execute it.
   $VCenterServer = 'vCenter_FQDN'
   $TokenEndpointURL = 'https://ADFS_FQDN/adfs/oauth2/token/'
   $AuthEndpointURL = 'https://ADFS_FQDN/adfs/oauth2/authorize/'
   $RedirectURL = 'http://localhost:8844/auth'
   $ClientID = 'Enter powercli-native client-ID here'
   $OAuth = $null
   $Saml = $null
   $Conn = $null
   if ( !$OAuth ) { $OAuth = New-OAuthSecurityContext -TokenEndpointUrl $TokenEndpointURL -AuthorizationEndpointUrl $AuthEndpointURL -RedirectUrl $RedirectURL -ClientId $ClientID }
   if ( !$Saml ) { $Saml = New-VISamlSecurityContext -VCenterServer $VCenterServer -OAuthSecurityContext $OAuth -IgnoreSslValidationErrors }
   if ( !$Conn ) { $Conn = Connect-VIServer -Server $VCenterServer -SamlSecurityContext $Saml }

Additional Information

Reference documents:

New-OAuthSecurityContext

New-VISamlSecurityContext

Connect-VIServer

Note: A similar behavior is also observed in tools such as Dell RV Tools. For further assistance, contact the respective vendor's support team.

Powered by Wolken Software