• This article explains why using third-party reverse proxy or URL masking tools to access the vCenter Server user interface or API is not supported. It describes the authentication flow used by vCenter Server and why modifying or proxying the access URL causes authentication failures

• When vCenter Server is accessed through a proxy or an application that masks or rewrites the original URL, one or more of the following symptoms may be observed:

  • Login to the vSphere Client will change the URL to vCenter original FQDN automatically.

  • Browser redirects repeatedly between /ui, /websso, or /sts.

  • Direct access to the original vCenter FQDN works without issues.

  • Access via the proxy URL does not work as expected.

• VMware vCenter Server

vCenter Server uses VMware Single Sign-On (SSO) and the Security Token Service (STS) for authentication. These components rely on SAML token exchange and certificate-based trust that are tightly bound to the vCenter Server’s fully qualified domain name (FQDN).

Third-party reverse proxies or URL masking tools typically:

• Terminate SSL/TLS connections under a different hostname.

• Rewrite HTTP headers such as Host, Origin, and Referer.

• Attempt to forward cookies between mismatched domains.

Because vCenter’s SSO process expects the same hostname and certificate throughout the login sequence, these modifications invalidate the SAML token audience and cookie domain, causing this unexpected behavior.

• VMware does not support the use of reverse proxies, URL masking utilities, or similar third-party tools in front of vCenter Server for direct access to the vSphere UI or APIs.

• vCenter SSO and STS services sign authentication tokens for a specific FQDN.

• Any TLS termination or hostname rewriting in the authentication path invalidates those tokens.