Domain user authentication to the vCenter Server configured with an ADFS Identity Provider fails following the replacement of domain signing certificates
search cancel

Domain user authentication to the vCenter Server configured with an ADFS Identity Provider fails following the replacement of domain signing certificates

book

Article ID: 414883

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

After updating or replacing the domain signing certificates, users are unable to authenticate to the vCenter Server using domain credentials. The login attempt fails with an error message similar to the ones shown below:

    • “Invalid SAML token”

    • “AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application”

    • “Unable to authenticate user”

 

Environment

  • VMware vCenter Server 7.x
  • VMware vCenter Server 8.x

Cause

This issue occurs because domain credentials rely on the ADFS certificate to validate the SAML tokens generated by ADFS. When the domain signing certificate is renewed or replaced, the federation metadata changes, and vCenter’s service still references the old certificate information.

As a result, domain login attempts fail since the signature on the token no longer matches the certificate trusted by vCenter.

Resolution

To reconfigure the vCenter ADFS identity provider after replacing the domain signing certificate, begin by adding the new certificate to vCenter's trusted root store, followed by reconfiguring the ADFS identity provider configuration within the vSphere Client.

Step 1: Export the New ADFS Certificates

  • On the ADFS server, export the updated domain signing certificate along with its complete certificate chain, including the Root CA and any Intermediate CAs.

  • Ensure the certificates are saved in Base-64 encoded X.509 format with a .CER or .CRT file extension.

Step 2: Import Certificates into vCenter

  • Log in to the vSphere Client using SSO administrator account.

  • Navigate to Home > Administration.

  • Under Single Sign-On, select Configuration.

  • Go to the Certificates tab.

  • Under Trusted Root Certificates, click Add.

  • Upload the exported AD FS certificate(s), including any intermediate and root CA certificates. You may combine them into a single file if needed.

  • Click Add to complete the import. The certificates will now appear in the trusted store.

Note: If the import task fails, it may be due to outdated domain signing certificates still present in the vCenter's trusted root store. In that case, follow the instructions in the document below to remove the old certificates from the trusted store.

Guidance to Removed the Old/Expired domain signing certificate.

Step 3: Reconfigure the ADFS Identity Provider Configuration

  • Access the vSphere Client again using an administrator account.

  • Navigate to Home > Administration.

  • Under Single Sign-On, go to Configuration > Identity Provider.

  • In the Configuration section, click the Change Provider button (top right).

  • Select Other Providers, then choose Embedded.

  • Reconfigure the ADFS Identity Provider using the newly created domain signing certificate, as outlined in the referenced documentation. Configuring ADFS identity provider

Log out of the vSphere Client, then log back in using an Active Directory account to verify that ADFS authentication is working properly with the newly installed domain signing certificates.

Powered by Wolken Software