Unable to log in to the vSphere UI after configuring Microsoft Entra ID (formerly Azure Active Directory) as the Identity Provider in VCF 9.0.
search cancel

Unable to log in to the vSphere UI after configuring Microsoft Entra ID (formerly Azure Active Directory) as the Identity Provider in VCF 9.0.

book

Article ID: 422391

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

  • Group is pre-provisioned and added to the vCenter Server with Administrator permissions, when users login they get the error "Unable to login because you do not have permission on any vCenter Server systems connected to this client."



  • The vCenter Server UI log confirms that the SAML token was retrieved successfully, yet the login was denied due to missing permissions

    /var/log/vmware/vsphere-ui/vsphere_client_virgo.log

    YYYY-MM-DDThh:mm:ss [ERROR] p-nio-127.0.0.1-5090-exec-13 70000162 100019 200009 com.vmware.vise.security.spring.DefaultAuthenticationProvider     Authentication failure com.vmware.vise.security.spring.DefaultAuthenticationException: Unable to login because you do not have permission on any vCenter Server systems connected to this client.
            at com.vmware.vsphere.client.security.VimAuthenticationHandler.authenticate(VimAuthenticationHandler.java:305)
            at com.vmware.vise.security.spring.DefaultAuthenticationProvider.authenticate(DefaultAuthenticationProvider.java:354)
            at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182)
    YYYY-MM-DDThh:mm:ss [INFO ] agw-token-acq1               70000011 ###### 200006 com.vmware.identity.token.impl.SamlTokenImpl                      SAML token for SubjectNameId [value=<user_name>@example.com, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element
    YYYY-MM-DDThh:mm:ss [INFO ] agw-token-acq1               70000011 ###### 200006 com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl           Successfully acquired token for user: {Name: <user_name>, Domain: example.com}
    YYYY-MM-DDThh:mm:ss [DEBUG] linkedVcGroup-pool-129       70000011 100004 200006 com.vmware.vise.vim.commons.vcservice.impl.VcServiceImpl          Will determine whether to retry managed method loginByToken for moref ManagedObjectReference: type = SessionManager, value = SessionManager, serverGuid = bbea20af-####-464b-###-7005c####cb05. The failure was com.vmware.vim.binding.vim.fault.NoPermission: Permission to perform this operation was denied.
    YYYY-MM-DDThh:mm:ss [ERROR] linkedVcGroup-pool-33924     70097169 104135 200099 com.vmware.vise.util.concurrent.ExecutorUtil                      A task crashed: com.vmware.vise.vim.commons.vcservice.impl.LinkedVcGroupImpl$1@66d39d44 java.util.concurrent.ExecutionException: (vim.fault.NoPermission) {
       faultCause = null,
       faultMessage = null,
       object = ManagedObjectReference: type = Folder, value = group-d1, serverGuid = bbea20af-####-464b-####-700###2c6cb05,
       privilegeId = System.View,
       missingPrivileges = (vim.fault.EntityPrivileges) [
          (vim.fault.EntityPrivileges) {
             dynamicType = null,
             dynamicProperty = null,
             entity = ManagedObjectReference: type = Folder, value = group-d1, serverGuid = bbea20af-###-464b-####-7005###6cb05,
             privilegeIds = (STRING) [
                System.View

  • The login works correctly when permission is applied directly to the individual user account, indicating the group membership information is not being successfully passed or interpreted by vCenter SSO.

  • These groups originate in Microsoft Entra ID (formerly Azure Active Directory or Azure AD)  and do not exist in the on-premises Active Directory.

Environment

VCF 9.X

Cause

  • The failure is caused by a missing or incorrectly configured Group Claim in the Microsoft Entra ID (Azure AD) SAML application setup.

  • VCF's vCenter SSO system relies on a specific SAML attribute—the Group Claim—to identify the user's group memberships during the Just-In-Time (JIT) provisioning process. If this claim is absent or uses an attribute that is not recognized or populated by Entra ID (such as the default Group ID instead of the group name), vCenter receives the user's token but does not receive the list of groups the user belongs to.

  • Without group membership data, vCenter cannot map the user to the pre-provisioned groups (e.g., Administrators), resulting in the "No Permission" error.

Resolution

To resolve the SAML authentication issue edit the Group Claim settings within the Microsoft Entra ID (formerly Azure Active Directory or Azure AD) Enterprise application used for VCF federation to ensure the correct group name attribute is being emitted in the SAML token.

Steps in Microsoft Entra ID:

  • Navigate to the Enterprise Application: Go to the Azure portal, find the Enterprise Application configured for VCF, and open the Single sign-on configuration.

  • The image shows the groups claim has already been added and the "Edit groups claim" blade is open.

    • Click to Edit: Click on the groups claim name to open the "Edit groups claim" configuration blade (as seen on the right side of your image).

    • Customize Token Properties: Within the "Edit groups claim" blade, you can select how the group information is represented in the tokens for different scenarios:

      • ID (ID Token):

        • Select the desired format for the groups claim in the ID select  sAMAccountName 

      • Access (Access Token):

        • Select the desired format for the groups claim in the Access  select  sAMAccountName 

      • SAML (SAML Token):

        • Select the desired format for the groups claim in the SAML select  sAMAccountName 


     

  • Edit Attributes & Claims: Go to the Attributes & Claims section.

  • Edit the claim , select "Groups assigned to the application" and Source attribute select the drop down as "sAMAccountName"

  • Since the groups are created in the cloud, the option Emit group name for cloud-only groups must be enabled.





     



Additional Information

Powered by Wolken Software