EntraID integration with vCenter is failing with an error "Could not create indirect identity provider"
search cancel

EntraID integration with vCenter is failing with an error "Could not create indirect identity provider"

book

Article ID: 394551

calendar_today

Updated On:

Products

VMware vCenter Server 8.0

Issue/Introduction

  • Unable to integrate Microsoft EntraID with vCenter
  • Receiving error message "Could not create indirect identity provider" as seen in the screenshot.

 

  • /var/log/vmware/trustmanagement/trustmanagement-svcs.log shows the below error message

YYYY-MM-DDTHH:MM:SS [tomcat-exec-7 [] INFO  com.vmware.vcenter.trustmanagement.authbroker.BrokerClient  opId=] API request CREATE_IDENTITY_PROVIDER to url http://localhost:1080/external-vecs/http1/<vcenter-ur>/443/federation/t/customer/broker/identity-providers returned unexpected response code 400 and the following error information: {"errors":[{"code":"oidc.config.api.validation.error","message":"Failed to retrieve OIDC endpoints from configuration url: https://login.microsoftonline.com/########-####-####-####-##########/v2.0/.well-known/openid-configuration.","parameters":{"configUrl":"https://login.microsoftonline.com/########-####-####-####-##########/v2.0/.well-known/openid-configuration"}}]}
YYYY-MM-DDTHH:MM:SS [tomcat-exec-7 [] ERROR com.vmware.vcenter.trustmanagement.authbroker.BrokerClient  opId=] Failed to create identity provider with IDP name Microsoft Entra ID for tenant customer on host <vcenter-url>
YYYY-MM-DDTHH:MM:SS [tomcat-exec-7 [] ERROR com.vmware.vcenter.trustmanagement.impl.AuthBrokerIdp  opId=] Rolling back 1 operations after error creating IDP: Failed to create identity provider with IDP name Microsoft Entra ID for tenant customer on host <vcenter-ur>
YYYY-MM-DDTHH:MM:SS [tomcat-exec-7 [] INFO  com.vmware.vcenter.trustmanagement.authbroker.BrokerClient  opId=] Deleted directory with ID ######-####-####-####-########## for tenant customer
YYYY-MM-DDTHH:MM:SS [tomcat-exec-7 [] ERROR com.vmware.vcenter.trustmanagement.migration.IdpReplacer  opId=] Failed to create Auth Broker IDP
com.vmware.vcenter.trustmanagement.authbroker.BrokerException: Failed to create identity provider with IDP name Microsoft Entra ID for tenant customer on host <vcenter-ur>
        at com.vmware.vcenter.trustmanagement.authbroker.BrokerClient.logAndThrow(BrokerClient.java:1095) ~[libservice.jar:?]
        at com.vmware.vcenter.trustmanagement.authbroker.BrokerClient.createIdentityProvider(BrokerClient.java:805) ~[libservice.jar:?]
        at com.vmware.vcenter.trustmanagement.impl.AuthBrokerIdp.createWithRollback(AuthBrokerIdp.java:302) ~[libservice.jar:?]
        at com.vmware.vcenter.trustmanagement.impl.AuthBrokerIdp.create(AuthBrokerIdp.java:187) ~[libservice.jar:?]
        at com.vmware.vcenter.trustmanagement.impl.AuthBrokerIdp.create(AuthBrokerIdp.java:146) ~[libservice.jar:?]

 

  • curl command to the URL "https://login.microsoftonline.com/########-####-####-####-##########/v2.0/.well-known/openid-configuration" is not returning any output and/or its stuck.

 

Environment

vCenter Server 8.0 U2 and above

Cause

This issue is occurring because vCenter is not able to communicate to the EntraID portal (https://login.microsoftonline.com) due to network misconfiguration, DNS or firewall is blocking the connection.

Resolution

Ensure the vCenter is able to communicate to EntraID portal (https://login.microsoftonline.com), by configuring vCenter network/internet access correctly, or check if there is any firewall blocking the connection.

 

Powered by Wolken Software