Error: "Unable to login because you do not have permission on any vCenter Server systems connected to this client" when logging into vCenter using ADFS group
search cancel

Error: "Unable to login because you do not have permission on any vCenter Server systems connected to this client" when logging into vCenter using ADFS group

book

Article ID: 404111

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • When attempting to log into a vCenter configured with ADFS as its identity provider, users from a defined group are failing to log in with the error:  
    "Unable to login because you do not have permission on any vCenter Server systems connected to this client"

  • Error may occur after rotating the client secret between the ADFS and vCenter

  • Investigating the /var/log/vmware/sso/tokenservice.log of the vCenter will show results similar to the following:

    [YYYY-MM-DDTHH:MM:SS] INFO tokenservice[63:tomcat-http--25] [CorId=########-####-####-####-######## OpId=########-####-####-####-########:########] [com.vmware.vcenter.tokenservice.jit.JitJwt] JITing user: <user>@<ADFSDomain>.com, spec: CreateSpec (com.vmware.vcenter.identity.foreign_security_principals.create_spec) => {\n    identityProviderId = ########-####-####-####-########,\n    name = <user>@<ADFSDomain>,\n    domain = <ADFSDomain>,\n    groupNames = [],\n    groupIds = []\n}

    The groupNames and groupIds fields will be blank or incorrect, depending on the error in the claim rule.

Environment

  • VMware vCenter Server 7.0.x
  • VMware vCenter Server 8.0.x

Cause

This issue can occur when the Group Claim rule is misconfigured on the ADFS. 

Resolution

Configure the Group Claim rule on the ADFS to match Step 4 of the Resolution from this KB: How to enable OpenID Connect in ADFS 2016 for vCenter Server.

  1. Group Rule
    1. Click Add Rule
    2. Under Claim rule template, select the option Send LDAP Attributes as Claims and click Next
    3. Enter a name for the claim rule such as AD Group With Qualified Long Name
    4. Under Attribute store, select Active Directory
    5. In the mapping table on the first row, under the LDAP Attribute column, select the Token-Groups - Qualified by Long Domain Name option
    6. In the mapping table on the same row, under the Outgoing Claim Type column, select the Group option and click Finish
Powered by Wolken Software