Unable to log in to vCenter with Entra ID credentials
search cancel

Unable to log in to vCenter with Entra ID credentials

book

Article ID: 390375

calendar_today

Updated On:

Products

VMware vCenter Server 8.0

Issue/Introduction

  • Entra ID users when attempting to login to the vCenter fails with  "Access Denied" error.
  • In vCenter /var/log/vmware/vc-ws1a-broker/federation-service.log you see entries similar to: 
    [YYYY-MM-DDTHH:MM:SS] ERROR vCenter.domain.com:federation (vert.x-eventloop-thread-12) [-;-;-;-;-;-] com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationService - Token endpoint failed io.vertx.core.impl.NoStackTraceThrowable: invalid_client: AADSTS7000222: The provided client secret keys for app '####-####-####-####-#############' are expired. Visit the Azure portal to create new keys for your app: https://abc.dt/"name", or consider using certificate credentials for added security: https://abc.dt/certCreds. Trace ID: ####-####-####-####-############# Correlation ID: ####-####-####-####-############# Timestamp: [YYYY-MM-DDTHH:MM:SS]
[YYYY-MM-DDTHH:MM:SS] WARN  vCenter.domain.com:federation (federation-business-pool-0) [CUSTOMER;-;##.##.##.##;#####-####-####-####-##########;-;#####-####-####-####-############] com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticator - Exception occurred while retrieving oidc tokens com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationException: Unable to get ID token and access token  at com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationService.lambda$redeemOidcTokensWithAuthorizationCode$1(OidcAuthenticationService.java:129)

 

Environment

VMware vCenter  

 

Cause

The client secret key on Microsoft Azure has expired.

Resolution

To resolve the issue follow the below steps:

  1. Log in to the Azure Portal:
    • Navigate to https://portal.azure.com and log in with your credentials.

  2. Locate Your App Registration:
    • In the left-hand menu, select "Azure Active Directory."
    • Under "Manage," select "App registrations."
    • Find and select the app registration corresponding to the app ID '####-####-####-####-##########'.

  3. Add a New Client Secret:
    • Under "Manage," select "Certificates & secrets."
    • In the "Client secrets" section, click "New client secret."
    • Add a description for the new client secret (e.g., "New client secret").
    • Click "Add."

  4. Update Your vCenter with the New Client Secret:
    • After creating the new client secret, copy the value displayed. 
    • Update your vCenter's configuration with the new client secret value.

Additional Information

Refer to the attached document for the step-by-step procedure to reconfigure the New Client Secret. See page 14, step 27 for detailed instructions.

For additional information refer to  How to Enable Entra ID for vCenter Server

Attachments

Step-by-step-procedure-to-configure-azure-ad-federation-on-vcenter-server_v3.pdf get_app
Powered by Wolken Software