After vCenter upgrade from 7.x to 8.x, ADFS user logins fail via PowerCLI and API calls when the ADFS Identity Provider is reconfigured on vCenter
search cancel

After vCenter upgrade from 7.x to 8.x, ADFS user logins fail via PowerCLI and API calls when the ADFS Identity Provider is reconfigured on vCenter

book

Article ID: 407160

calendar_today

Updated On:

Products

VMware SDDC Manager VMware vCenter Server 8.0

Issue/Introduction

After upgrading vCenter from 7.x to 8.x and updating the ADFS configuration (client secret change, certificate renewal, etc.), preconfigured users using an old AD Identity Source are failing to log in with username/passwords using PowerCLI and API calls to the vCenter, when ADFS MFA is enabled.

Environment

VMware vCenter 8.x

Cause

This is caused by a change in how old identity sources are saved in the vCenter.

In 7.x when an external identity provider (ADFS) is configured on vCenter, the old identity sources (AD-over-LDAPs) are kept intact in the backend. This is to preserve existing group memberships that were configured on VC.

For context, vCenter represent users and groups from legacy identity sources, like AD-over-LDAPs, using the principal's SID, which is the user or group's security identifier in AD. However, for ADFS, the principal is represented as a UPN (username@domain). So to prevent users from having to recreate all their local group memberships on vCenter after moving to ADFS, vCenter keeps the AD-over-LDAPs identity source intact in order to resolve the SIDs.

In 8.0, additional functionality was added that automatically converts those SID-formatted group memberships to UPN-formatted group memberships, so that vCenter knows how to preserve existing group memberships after moving to an external identity provider, like ADFS. Because of this, when an identity provider is configured on vCenter, we actually perform a full replace of any existing identity sources configured on the VC with the new identity provider that is being added.

Resolution

It is by design that we preserve the old identity sources in 7.0, but replace them entirely in 8.0 when an external identity provider is configured. This is desirable because leaving the old identity sources intact in the backend can lead to unintended security holes.

To continue using username/password logins with PowerCLI and their APIs/scripts, use sso-config on the CLI to add the old AD-over-LDAPs identity source back. This must be done each time ADFS is reconfigured on vCenter.

Before making any changes to the vCenter it is recommended to take a backup of the vCenter, as well as a snapshot(If vCenter is in ELM cluster perform a powered off snapshot of all ELM nodes).

  1. Log into the vCenter via SSH with the 'root' user
  2. Navigate to the folder where the sso-config.sh script is contained.
    • cd /opt/vmware/bin
  3. Using this command, we can add AD over LDAP as an Identity Source:
    • sso-config.sh -add_identity_source -type adldap -baseUserDN "CN=Users,DC=domain,DC=example" -baseGroupDN "CN=Groups,DC=domain,DC=example" -domain "domain.example" -alias "DOMAIN" -username "CN=Administrator,CN=Users,DC=domain,DC=example" -password 'password' -primaryURL "ldap://dc.domain.example:389"
Powered by Wolken Software