Unable to log in to vCenter with Entra ID credentials
search cancel

Unable to log in to vCenter with Entra ID credentials

book

Article ID: 390375

calendar_today

Updated On:

Products

VMware vCenter Server 8.0 VMware Cloud Foundation

Issue/Introduction

  • Entra ID users when attempting to login to the vCenter fails with  "Access Denied" error.

  • In vCenter /var/log/vmware/vc-ws1a-broker/federation-service.log you see entries similar to:

    ERROR vCenter.example.com:federation (vert.x-eventloop-thread-#) [-;-;-;-;-;-] com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationService - Token endpoint failed io.vertx.core.impl.NoStackTraceThrowable: invalid_client: AADSTS7000222: The provided client secret keys for app '####-####-####-####-#############' are expired...

    OR

    ERROR vcenter.example.com:federation (vert.x-eventloop-thread-#) [-;-;-;-;-;-] com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationService - Token endpoint failed io.vertx.core.impl.NoStackTraceThrowable: invalid_client: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app

Environment

VMware vCenter

 

Cause

The client secret key on Microsoft Azure has expired or the value is incorrectly added to the configuration in vCenter.

Resolution

To resolve the issue follow the below steps:

  1. Log in to the Azure Portal:
    • Navigate to https://portal.azure.com and log in with your credentials.

  2. Locate Your App Registration:
    • In the left-hand menu, select "Azure Active Directory."
    • Under "Manage," select "App registrations."
    • Find and select the app registration corresponding to the app ID '####-####-####-####-##########'.

  3. Add a New Client Secret:
    • Under "Manage," select "Certificates & secrets."
    • In the "Client secrets" section, click "New client secret."
    • Add a description for the new client secret (e.g., "New client secret").
    • Click "Add."

  4. Update Your vCenter with the New Client Secret:
    • After creating the new client secret, copy the value displayed. 
    • Update your vCenter's configuration with the new client secret value.

Additional Information

  • Refer to the attached document for the step-by-step procedure to reconfigure the New Client Secret. See page 14, step 27 for detailed instructions.

For additional information refer to  How to Enable Entra ID for vCenter Server

 

  •  In some scenarios, Log entries may also be seen :

    Caused by: io.vertx.core.impl.NoStackTraceThrowable: invalid_client: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'xxxxxxxxxxxx'. Trace ID: xxxxxxxxxxxx Correlation ID: xxxxxxxxxxxxxxxx Timestamp: YYYY-MM-DDTHH:MM:SSZ

YYYY-MM-DDTHH:MM:SS,285 WARN  xxxxxxxxxxxxxx:federation (federation-business-pool-0) [CUSTOMER;-;xxxxxxxxxxxxx] xxxxxxxxxxx - Failed to process OIDC authentication
YYYY-MM-DDTHH:MM:SS,285 INFO  xxxxxxxxxxxxxxxxx:federation (federation-business-pool-0) [CUSTOMER;-;xxxxxxxx;-;xxxxxxx] xxxxxxxxxxx - Metric published: com.vmware.vidm.common.metrics.model.Metrics@22161bd3
YYYY-MM-DDTHH:MM:SS,285 INFO  xxxxxxxxxxxxxxx:federation (federation-business-pool-0) [CUSTOMER;-;x.x.x.x;xxxxxxxxxxxxxx;-;xxxxxxxxxxxxxxxxx] com.vmware.vidm.federation.utils.MetricsPublisherUtil - OIDC authentication failed
YYYY-MM-DDTHH:MM:SS,296 INFO  xxxxxxxxxxxxxxxxx:federation (federation-business-pool-0) [CUSTOMER;-;xxxxxx;-;xxxxxxxxxxx] xxxxxxxxxxx - Deny access based on ruleset resolution result for login contextId: xxxxxxxxxxxxxx with reason code: AUTH_FAILED
YYYY-MM-DDTHH:MM:SS,297 INFO  xxxxxxxxxxxxx(federation-business-pool-0) [CUSTOMER;-;xxxxxxxxx;-;xxxxxxxxxxxxxx] com.vmware.vidm.federation.login.LoginEventServiceAspect - Failing login. contextUuid: xxxxxxxxxxxxxxxxxxxx, exception: com.vmware.vidm.federation.login.AccessDeniedException: Access denied with reason code: AUTH_FAILED, isAuthenticationForced: false
YYYY-MM-DDTHH:MM:SS,297 INFO  xxxxxxxxxxxx:federation (federation-business-pool-0) [CUSTOMER;-;xxxxxxx;-;xxxxxxxxxx] com.vmware.vidm.federation.utils.MetricsPublisherUtil - Login failed due to reason: AUTH_FAILED
YYYY-MM-DDTHH:MM:SS,297 INFO  xxxxxxxxxxxx:federation (federation-business-pool-0) [CUSTOMER;-;xxxxxxxxx;-;xxxxxxxx] com.vmware.vidm.federation.exception.handler.LoginExceptionHandler - Access denied for login context: xxxxxxxxxxxx
YYYY-MM-DDTHH:MM:SS,528 INFO xxxxxxxxxxxxx:federation (scheduled-metrics-publisher-1) [-;-;-;-;-;-] xxxxxxxxxxxxxx - Metric published: com.vmware.vidm.common.metrics.model.Metrics@13446751
YYYY-MM-DDTHH:MM:SS,286 INFO  xxxxxxxxxx:federation (vert.x-eventloop-thread-0) [-;-;-;-;-;-] org.bouncycastle.jsse.provider.ProvTlsClient - [client #22 @796be239] disconnected from login.microsoftonline.com:443

If the log entries match the examples above, follow the steps in the Resolution section to fix the issue

 

Entra ID 認証を使用したvCenter へのログインができない

Attachments

Step-by-step-procedure-to-configure-azure-ad-federation-on-vcenter-server_v3.pdf get_app
Powered by Wolken Software