ADFS User login failed with error "[400] unable to authenticate"
search cancel

ADFS User login failed with error "[400] unable to authenticate"

book

Article ID: 405519

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • ADFS user logins will fail with error [400] on vCenter GUI

  • Below error messages can be seen

Environment

VMware vCenter Server 7.0.x

Cause

  • The ADFS application group is configured incorrectly.
  • /var/log/vmware/vsphere-ui/logs/vsphere-client-virgo.log

    • [YYYY-MM-DD HH:MM:SS] [ERROR] http-nio-5090-exec-3 70001546 100073 ###### com.vmware.skyscraper.oauth2.common.Oauth2Helper Exception while exchanging token with csp with for code <AUTH_CODE> <TOKEN_STRING> and state <STATE_ID>.
      Csp responded with status 400 BAD_REQUEST and body  {"error":"invalid_client","error_description":"MSIS9622: Client authentication failed. Please verify the credential provided for client authentication is valid."}

      [YYYY-MM-DD HH:MM:SS] [ERROR] http-nio-5090-exec-3 70001546 100073 ###### c.v.vsphere.client.security.oauth2.Oauth2CodeResponseHandler Oauth2 Authorization code assertion failed java.lang.RuntimeException: Generating Authorization Token has an exception

  • This happens when client identifier and secret key is mismatched.

Resolution

  • Check the client identifier and secret key used in the ADFS server and update the correct secret key in the vCenter ADFS configuration.

    • Open ADFS Management Console:

      • Log in to the ADFS server.

      • Open AD FS Management

    • Locate the Relying Party Trust / Application Group:

      • In the left panel, expand ADFS → Application Groups.

      • Find the application group configured for vCenter (VMware Identity Provider/OIDC).

    • Open Application Group Properties:

      • Right-click the application group associated with vCenter → Properties.

    • Check the Client Identifier:

      • Under the Web API or Native application section, select the client associated with vCenter.

      • Copy the Client Identifier (Client ID).

      • This value must match the client ID configured in vCenter SSO.

    • Check or Reset the Client Secret:

      • If you suspect the client secret is invalid/expired:

        • Select the client entry → click Edit.

        • Click Generate Shared Secret.

        • Copy and save the new Client Secret (Key) securely.

    • Log in to vCenter Server:

      1. Open vSphere Client.

      2. Log in using the vCenter Administrator@<sso/vsphere>.local account.

      3. Navigate to Identity Provider Settings:

        • Go to Administration → Single Sign-On → Configuration.

        • Select Identity Provider (OIDC) or External Identity Source (ADFS).

      4. Edit the OIDC Configuration:

        • Click Edit Identity Provider.

        • Confirm that the Issuer URL points to your ADFS endpoint (e.g., https://<adfs-fqdn>/adfs).

      5. Update Client ID and Secret:

        • Enter the Client Identifier from ADFS.

        • Enter the Client Secret generated in ADFS.

        • Save changes.

 

If the above does not resolve the issue, reconfigure ADFS in vCenter.

Powered by Wolken Software