VCF PowerCLI authentication to vCenter via Microsoft Entra ID fails with "Cannot complete login due to an incorrect user name or password" when login as DOMAIN\user
search cancel

VCF PowerCLI authentication to vCenter via Microsoft Entra ID fails with "Cannot complete login due to an incorrect user name or password" when login as DOMAIN\user

book

Article ID: 427150

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Configuring Entra ID for vCenter Server authentication works using vSphere Client UI and fails with VCF PowerCLI.

  • The following error appears when authenticating using the VCF PowerCLI using login as AD\user:

Environment

  • vCenter 8.x
  • vCenter 9.x

Cause

  • Non-interactive - non-UI (VCF PowerCLI) access for federated users requires the implementation of OAuth2.0 with Resource Owner Password Credentials (ROPC) grant type
  • It identifies users via their User Principal Name (UPN) and not support Down-Level Logon Name or the NetBIOS (DOMAIN\user) naming convention.

Resolution

The ROPC flow is a single request; it sends the client identification and user's credentials to the identity provider, and receives tokens in return.

Use the login as email address (UPN) and password for authentication to succeed. 

Note:
The ROPC flow exposes the user credentials to the client application, VCF PowerCLI, and to vCenter Server. To minimize the security risk, allow access only to service users with limited permissions. For more information, see: Unattended Logins to a Federated vCenter System

Additional Information

Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials

Configuring Microsoft Entra ID for vCenter Server

Powered by Wolken Software