3rd Party Backup applications are failing to connect to the vCenter after configuring their accounts through EntraID
search cancel

3rd Party Backup applications are failing to connect to the vCenter after configuring their accounts through EntraID

book

Article ID: 407722

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • 3rd Party APIs and backup solutions fail to connect to vCenter after configuring user accounts using EntraID as an Identity source.
  • User logins may fail if EntraID set up is requiring MFA or other authorizations.
  • vCenter - /storage/log/vmware/vc-ws1a-broker/accesscontrol-service.log
accesscontrol-service.log:

2025-06-27T13:57:19,150 ERROR vCenterFQDN.domain:accesscontrol (ForkJoinPool-5-worker-2) [CUSTOMER;-;127.0.0.\
 #######-####-####-####-##########; #######-####-####-####-##########;password] com.vmware.vidm.accesscontrol.tokeng\
ranter.password.FederationPasswordTokenGranter - FAILURE: Call to Federation failed with status FAILURE and message invalid_\
grant: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you mu\
st use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'. Trace ID: #######-####-####-####-##########\
###### Correlation ID: #######-####-####-####-########## Timestamp: 2025-06-27 13:57:19Z                                 
2025-06-27T13:57:19,150 WARN  user.domain.com:accesscontrol (ForkJoinPool-5-worker-2) [CUSTOMER;-;127.0.0.\
#######-####-####-####-##########;-; #######-####-####-####-##########;password] com.vmware.vidm.accesscontrol.resour\
ce.auth.TokenResource - Failed during issuing token java.util.concurrent.CompletionException: com.vmware.vidm.accesscontrol.\
exceptions.oauth2.InvalidGrantException: invalid.user.or.password                                                            
        at java.base/java.util.concurrent.CompletableFuture.encodeThrowable(Unknown Source)                                  
        at java.base/java.util.concurrent.CompletableFuture.completeThrowable(Unknown Source)

Environment

  • VMware vCenter Server 7.x
  • VMware vCenter Server 8.x

Cause

The Managed Object Browser (MOB) only works with basic authentication. Below is a generalized workflow of its authentication:

  1. Extract the username and password from the Authorization HTTP header.
  2. Delegate the username and password to the common VPXD code for username and password login which will then call on Single Sign On (SSO).

Resolution

At this time, the MOB does not function with MFA and will result in failed logins.

If a 3rd party application or API needs MOB access to function, set up administrator users as local vCenter users within the local vCenter SSO domain. To create a new local administrator user for vCenter, reference Managing Local User Accounts in vCenter Server.

Powered by Wolken Software