Attempts to log in to vCenter Server through a PingFederate federation setup may fail with the following error:
Access Denied. Unable to Authenticate the User

The login failure occurs during the OIDC authentication flow between vCenter and PingFederate, preventing users from being authorized.

Symptoms

• Error in UI:

• • User login attempt fails with Access Denied.

• • UI displays Access Denied. Unable to Authenticate the User

• Federation logs (/var/log/vmware/vc-ws1a-broker/federation-service.log):
  • JWKs skipped due to mismatched key usage:
    |
    YYYY-MM-DDTHH:MM:SS WARN  <vc_fqdn>:federation (vert.x-eventloop-thread-0) [-;-;-;-;-;-] io.vertx.ext.auth.impl.jose.JWT - JWK skipped: use: sig != enc
YYYY-MM-DDTHH:MM:SS WARN  <vc_fqdn>:federation (vert.x-eventloop-thread-0) [-;-;-;-;-;-] io.vertx.ext.auth.impl.jose.JWT - JWK skipped: use: sig != enc


  • Authorize request fails with error access_denied:Authentication failed:
    
    YYYY-MM-DDTHH:MM:SS ERROR <vc_fqdn>:federation (federation-business-pool-0) [CUSTOMER;-;<ip_address>;b7bc44d4-9446-4c28-a927-############;-;02469bd2-8bf4-4e16-9364-############] com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticator - Authorize request failed with error access_denied
YYYY-MM-DDTHH:MM:SS WARN  <vc_fqdn>:federation (federation-business-pool-0) [CUSTOMER;-;<ip_address>;b7bc44d4-9446-4c28-a927-############;-;02469bd2-8bf4-4e16-############] com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticator - Exception occurred while retrieving oidc tokens com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationException: Authorize request failed with error access_denied:Authentication failed.
at com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticator.lambda$validateAuthorizeResponseAndGetCode$17(OidcAuthenticator.java:255)
at java.base/java.util.concurrent.CompletableFuture$UniCompose.tryFire(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture$Completion.run(Unknown Source)
at com.vmware.vidm.common.async.ContextPassingExecutor.lambda$wrap$0(ContextPassingExecutor.java:48)
at io.micrometer.core.instrument.internal.TimedRunnable.run(TimedRunnable.java:49)
at java.base/java.util.concurrent.ForkJoinTask$RunnableExecuteAction.exec(Unknown Source)
at java.base/java.util.concurrent.ForkJoinTask.doExec(Unknown Source)
at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(Unknown Source)
at java.base/java.util.concurrent.ForkJoinPool.scan(Unknown Source)
at java.base/java.util.concurrent.ForkJoinPool.runWorker(Unknown Source)
at java.base/java.util.concurrent.ForkJoinWorkerThread.run(Unknown Source)

• vCenter Server 8.x

• vCenter configured with Identity Federation using PingFederate

• Federation handled by vc-ws1a-broker service

• The vc-ws1a-broker service relies on a Java keystore to validate certificates.

• If the PingFederate server’s signing certificate chain is missing from the keystore, federation requests cannot be validated.

• This leads to OIDC token validation failure and results in the access_denied error.

To resolve the issue, import the PingFederate certificate chain into the Java keystore used by the vc-ws1a-broker service:

1. Locate the JRE used by vc-ws1a-broker:
   /storage/containers/vc-ws1a-broker/<container-hash>/rootfs/usr/local/jre-<version>/

2. Export the path to use the correct keytool binary:
   export PATH=/storage/containers/vc-ws1a-broker/<container-hash>/rootfs/usr/local/jre-<version>/bin:$PATH


3. Verify the correct keytool is being used:
   which keytool    


4. Create the certificate chain (leaf + intermediate/signing certificates) for the PingFederate server.
   
   
5. Import the certificate chain into the Java keystore:
   keytool -importcert -alias ping-dev -file <path-to-chain.crt> \
-keystore /storage/containers/vc-ws1a-broker/<container-hash>/rootfs/usr/local/jre-<version>/lib/security/cacerts \
-storepass changeit


6. Restart the vc-ws1a-broker service:
   service-control --restart vc-ws1a-broker