Login to vCenter Server with Entra ID User Fails with USER_NOT_FOUND
search cancel

Login to vCenter Server with Entra ID User Fails with USER_NOT_FOUND

book

Article ID: 409564

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

When attempting to log in to vCenter Server 8.x with an Entra ID user, login fails with the error USER_NOT_FOUND.

This issue can occur if a user is removed from and later re-added to an Entra ID group that is synced with vCenter via SCIM. Even though SCIM provisioning appears successful, the user cannot log in because of an ExternalId mismatch in vCenter Identity Database (VIDB).

Error example in /var/log/vmware/vc-ws1a-broker/federation-service.log:

YYYY-MM-DDTHH:MM:SS INFO  <vc_fqdn>:federation (federation-business-pool-0) [CUSTOMER;-;<client_ip_address>;########-cbe2-42c4-bef3-############;-;########-d6da-4f6a-a626-############] com.vmware.vidm.federation.login.processor.AuthResponseUser
Resolver - Fetching user for jit login context: ########-d6da-4f6a-a626-############ on attribute ExternalId=<user_external_id>, domains: [domain.com] 
YYYY-MM-DDTHH:MM:SS WARN  <vc_fqdn>:federation (ForkJoinPool-2-worker-3542) [CUSTOMER;-;<client_ip_address>;########-cbe2-42c4-bef3-############;-;########-d6da-4f6a-a626-############] com.vmware.vidm.federation.login.processor.AuthResponseUser
Resolver - User fetching exception with nameId ########-f0eb-49d9-a318-############, nameIdFormat ExternalId, and domains [domain.com], user not found 
YYYY-MM-DDTHH:MM:SS INFO  <vc_fqdn>:federation (federation-business-pool-0) [CUSTOMER;-;<client_ip_address>;########-cbe2-42c4-bef3-############;-;########-d6da-4f6a-a626-############] com.vmware.vidm.federation.login.LoginEventServiceAspect - 
Failing login. contextUuid: ########-d6da-4f6a-a626-############, exception: com.vmware.vidm.federation.login.AccessDeniedException: Access denied with reason code: USER_NOT_FOUND, isAuthenticationForced: false 
YYYY-MM-DDTHH:MM:SS INFO  <vc_fqdn>:federation (federation-business-pool-0) [CUSTOMER;-;<client_ip_address>;########-cbe2-42c4-bef3-############;-;########-d6da-4f6a-a626-############] com.vmware.vidm.federation.utils.MetricsPublisherUtil - Log
in failed due to reason: USER_NOT_FOUND

Environment

 

  • vCenter Server 8.x

  • Microsoft Entra ID (Azure AD) configured with SCIM provisioning

  • OIDC Federation enabled for vCenter logins

 

Cause

 

  • When a user is removed and re-added to an Entra ID group:

    • Entra may send a new ExternalId for the same user.

    • vCenter’s VIDB treats ExternalId as immutable (unique attribute in SCIM flow).

    • As a result, the old ExternalId remains stored in VIDB and does not update, leading to mismatches.

  • During login, vCenter queries VIDB using the ExternalId provided by Entra. If no matching entry is found, login fails with USER_NOT_FOUND.

 

Resolution

1. Validate SCIM Provisioning

Confirm that the affected user is being pushed from Entra ID and provisioned successfully by following: How to enable Entra ID for vCenter Server

2. Export and Validate Users in VIDB

   Step 1: Get vCenter Session ID

 echo -n '<Admin_SSO>:<Password>' | base64

    # Example:
     echo -n '<vcenter_sso_user_name>:<vcenter_sso_user_password>' | base64
     curl -k --location --request POST 'https://<vc-fqdn>/api/session' --header 'Authorization: Basic <base64-encoded-value>'

Note the vmware-api-session-id from the response.

   Step 2: Get VIDB Tenant Admin Token

curl -k --location 'https://<vc-fqdn>/api/vcenter/identity/broker/tenants/customer/admin-client' --header 'vmware-api-session-id: <value from Step 1>'

Copy the access_token returned.

   Step 3: List VIDB Users

curl -k --location 'https://<vc-fqdn>/usergroup/t/CUSTOMER/scim/v2/Users/' --header 'Authorization: Bearer <access_token_from_step_2>' -o /storage/core/vidb_users.txt -s -w "\nHTTP Status: %{http_code}\n"


3. Use SCIM APIs to Validate User Details

  • Get vCenter Session ID
    curl -k -X POST "https://<vc-fqdn>/rest/com/vmware/cis/session" -H "Content-Type: application/json" -H "Authorization: Basic $(echo -n '<vcenter_sso_user_name>:<vcenter_sso_user_password>' | base64)"

  • Get Tenant Admin Client Token
    curl -k -X GET "https://<vc-fqdn>/api/vcenter/identity/broker/tenants/customer/admin-client" -H "Content-Type: application/json" -H "vmware-api-session-id: <value from above>"
  • Search User:
    curl -k -X POST "https://<vc-fqdn>/usergroup/t/CUSTOMER/scim/v2/Users/.search" -H "Content-Type: application/scim+json" -H "Authorization: Bearer <token from the above command>" \
    -d '{
          "attributes": [
            "emails",
            "urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:name",
            "name.familyName",
            "userName",
            "urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:domain",
            "groups"
          ],
          "filter": "userName eq \"<USERNAME>\" and domain eq \"<DOMAIN>\""
        }'

4.  If an ExternalId mismatch is found, engage Broadcom Support for assistance.

Additional Information

To prevent future mismatches, configure Entra ID SCIM app to send the Object ID as an attribute.

  • Object ID is consistent for the user and ensures stable ExternalId mapping in VIDB.

  • Microsoft reference: Add a SCIM attribute in Entra ID

  • Related VMware KB: How to enable Entra ID for vCenter Server

  • Always validate users and groups in VIDB with SCIM APIs:

      • Get vCenter session ID

      • Retrieve Tenant Admin Token

      • List or search users

    • Best practice: Always use FQDNs for consistency in identity and provisioning workflows.

Powered by Wolken Software