Login to vCenter Server with Entra ID user fails with USER_NOT_FOUND
search cancel

Login to vCenter Server with Entra ID user fails with USER_NOT_FOUND

book

Article ID: 409564

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

When attempting to log in to vCenter Server 8.x with an Entra ID user, login fails with the error USER_NOT_FOUND.


Error example in vCenter: /var/log/vmware/vc-ws1a-broker/federation-service.log:

YYYY-MM-DDTHH:MM:SS INFO  <vc_fqdn>:federation (federation-business-pool-0) [CUSTOMER;-;<client_ip_address>;########-cbe2-42c4-bef3-############;-;########-d6da-4f6a-a626-############] com.vmware.vidm.federation.login.processor.AuthResponseUser
Resolver - Fetching user for jit login context: ########-d6da-4f6a-a626-############ on attribute ExternalId=<user_external_id>, domains: [example.com] 
YYYY-MM-DDTHH:MM:SS WARN  <vc_fqdn>:federation (ForkJoinPool-2-worker-3542) [CUSTOMER;-;<client_ip_address>;########-cbe2-42c4-bef3-############;-;########-d6da-4f6a-a626-############] com.vmware.vidm.federation.login.processor.AuthResponseUser
Resolver - User fetching exception with nameId ########-f0eb-49d9-a318-############, nameIdFormat ExternalId, and domains [example.com], user not found 
YYYY-MM-DDTHH:MM:SS INFO  <vc_fqdn>:federation (federation-business-pool-0) [CUSTOMER;-;<client_ip_address>;########-cbe2-42c4-bef3-############;-;########-d6da-4f6a-a626-############] com.vmware.vidm.federation.login.LoginEventServiceAspect - 
Failing login. contextUuid: ########-d6da-4f6a-a626-############, exception: com.vmware.vidm.federation.login.AccessDeniedException: Access denied with reason code: USER_NOT_FOUND, isAuthenticationForced: false 
YYYY-MM-DDTHH:MM:SS INFO  <vc_fqdn>:federation (federation-business-pool-0) [CUSTOMER;-;<client_ip_address>;########-cbe2-42c4-bef3-############;-;########-d6da-4f6a-a626-############] com.vmware.vidm.federation.utils.MetricsPublisherUtil - Log
in failed due to reason: USER_NOT_FOUND

Environment

  • vCenter Server 8.x

  • Microsoft Entra ID (Azure AD) configured with SCIM provisioning

  • OIDC Federation enabled for vCenter logins

Cause

This issue can occur if a user is removed from and later re-added to an Entra ID group that is synced with vCenter via SCIM. Even though SCIM provisioning appears successful, the user cannot log in because of an ExternalId mismatch in vCenter Identity Database (VIDB).

  • When a user is removed and re-added to an Entra ID group:

    • Entra may send a new ExternalId for the same user.

    • vCenter’s VIDB treats ExternalId as immutable (unique attribute in SCIM flow).

    • As a result, the old ExternalId remains stored in VIDB and does not update, leading to mismatches.

  • During login, vCenter queries VIDB using the ExternalId provided by Entra. If no matching entry is found, login fails with USER_NOT_FOUND.

Resolution

  1. Validate SCIM Provisioning

    Confirm that the affected user is being pushed from Entra ID and provisioned successfully by following: How to enable Entra ID for vCenter Server

  2. Export and Validate Users in VIDB
    1. Get vCenter Session ID
             echo -n '<Admin_SSO>:<Password>' | base64
       # Example:
       echo -n '<vcenter_sso_user_name>:<vcenter_sso_user_password>' | base64
       curl -k --location --request POST 'https://<vc-fqdn>/api/session' --header 'Authorization: Basic <base64-encoded-value>'
      Note the vmware-api-session-id from the response.
    2. Get VIDB Tenant Admin Token
      curl -k --location 'https://<vc-fqdn>/api/vcenter/identity/broker/tenants/customer/admin-client' --header 'vmware-api-session-id: <value from Step 1>'
      Copy the access_token returned.
    3. List VIDB Users
      curl -k --location 'https://<vc-fqdn>/usergroup/t/CUSTOMER/scim/v2/Users/' --header 'Authorization: Bearer <access_token_from_step_2>' -o /storage/core/vidb_users.txt -s -w "\nHTTP Status: %{http_code}\n"

  3.  Use SCIM APIs to Validate User Details
    1. Get vCenter Session ID
      curl -k -X POST "https://<vc-fqdn>/rest/com/vmware/cis/session" -H "Content-Type: application/json" -H "Authorization: Basic $(echo -n '<vcenter_sso_user_name>:<vcenter_sso_user_password>' | base64)"

    2. Get Tenant Admin Client Token
      curl -k -X GET "https://<vc-fqdn>/api/vcenter/identity/broker/tenants/customer/admin-client" -H "Content-Type: application/json" -H "vmware-api-session-id: <value from above>"
    3. Search User:
      curl -k -X POST "https://<vc-fqdn>/usergroup/t/CUSTOMER/scim/v2/Users/.search" -H "Content-Type: application/scim+json" -H "Authorization: Bearer <token from the above command>" \
      -d '{
            "attributes": [
              "emails",
              "urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:name",
              "name.familyName",
              "userName",
              "urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:domain",
              "groups"
            ],
            "filter": "userName eq \"<USERNAME>\" and domain eq \"<DOMAIN>\""
          }'
  4. If an ExternalId mismatch is found, engage Broadcom Support for assistance.

Additional Information

To prevent future mismatches, configure Entra ID SCIM app to send the Object ID as an attribute.

  • Object ID is consistent for the user and ensures stable ExternalId mapping in VIDB.

  • Microsoft reference: Add a SCIM attribute in Entra ID

  • Related VMware KB: How to enable Entra ID for vCenter Server

  • Always validate users and groups in VIDB with SCIM APIs:

    • Get vCenter session ID

    • Retrieve Tenant Admin Token

    • List or search users

  • Best practice: Always use FQDNs for consistency in identity and provisioning workflows.
Powered by Wolken Software