Unable to login in VCSA with userID using MS Entra ID. When user was moved to another department.
search cancel

Unable to login in VCSA with userID using MS Entra ID. When user was moved to another department.

book

Article ID: 416406

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Microsoft Entra ID Authentication Fails with "Access denied. Unable to authenticate the user." 

From the VCSA logs

/var/log/vmware/vc-ws1a-broker/federation-service.log:

YYYY-MM-DDTHH:MM INFO  <VCSA-FQDN>:federation (federation-business-pool-0) [CUSTOMER;-;IP.xx.xx.xx;xxxxxxxx-0b28-4456-99bc-5676c7c1bc0a;-;xxxxxxx-e94d-43c8-ae11-d3305a9c60d7] com.vmware.vidm.federation.login.processor.AuthResponseUserResolver - Fetching user for jit login context: xxxxxxx-e94d-43c8-ae11-d3305a9c60d7 on attribute ExternalId=82d7ff00-c53c-43fc-982c-da6b0ea005c0, domains: [xx.xx.xx,xx.xx.xx,xx.xx.xx,xx.xx.xx,xx.xx.xx]
YYYY-MM-DDTHH:MM:WARN  <VCSA-FQDN>:federation (ForkJoinPool-2-worker-5648) [CUSTOMER;-;IP.xx.xx.xx;xxxxxxxx-0b28-4456-99bc-5676c7c1bc0a;-;xxxxxxx-e94d-43c8-ae11-d3305a9c60d7] com.vmware.vidm.federation.login.processor.AuthResponseUserResolver - User fetching exception with nameId 82d7ff00-c53c-43fc-982c-da6b0ea005c0, nameIdFormat ExternalId, and domains [xx.xx.xx,xx.xx.xx,xx.xx.xx,xx.xx.xx,xx.xx.xx], user not found
YYYY-MM-DDTHH:MM: INFO  <VCSA-FQDN>:federation (federation-business-pool-0) [CUSTOMER;-;IP.xx.xx.xx;xxxxxxxx-0b28-4456-99bc-5676c7c1bc0a;-;xxxxxxx-e94d-43c8-ae11-d3305a9c60d7] com.vmware.vidm.federation.login.LoginEventServiceAspect - Failing login. contextUuid: xxxxxxx-e94d-43c8-ae11-d3305a9c60d7, exception: com.vmware.vidm.federation.login.AccessDeniedException: Access denied with reason code: USER_NOT_FOUND, isAuthenticationForced: false
YYYY-MM-DDTHH:MM: INFO  <VCSA-FQDN>:federation (federation-business-pool-0) [CUSTOMER;-;IP.xx.xx.xx;xxxxxxxx-0b28-4456-99bc-5676c7c1bc0a;-;xxxxxxx-e94d-43c8-ae11-d3305a9c60d7] com.vmware.vidm.federation.utils.MetricsPublisherUtil - Login failed due to reason: USER_NOT_FOUND
YYYY-MM-DDTHH:MM INFO  <VCSA-FQDN>:federation (federation-business-pool-0) [CUSTOMER;-;IP.xx.xx.xx;xxxxxxxx-0b28-4456-99bc-5676c7c1bc0a;-;xxxxxxx-e94d-43c8-ae11-d3305a9c60d7] com.vmware.vidm.federation.exception.handler.LoginExceptionHandler - Access denied for login context: xxxxxxx-e94d-43c8-ae11-d3305a9c60d7



From the MS Entra side check the provisioning log details to confirm what is the Action done when user is provisioned. 

Refer Document: https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-provisioning-logs

 

Environment

VMware vCenter server 8.x

Microsoft Entra ID configured for vCenter authentication

Cause

When a user’s externalId (corresponding to their Entra ID) changes—such as when the user is moved to another department—the objectId in the target system (VCSA) is not updated through the SCIM push process. The externalId serves as the unique identifier from Microsoft Entra ID and is stored in VCSA, when changes to it were not propagated, leading to synchronization inconsistencies between Entra ID and VCSA for the User.

Resolution

Contact Broadcom Technical Support for further assistance. 

 

Powered by Wolken Software