Error: "Service accounts cannot login to the vCenter" after vCenter upgrade to version 8.0 Update 3h
Article ID: 427644
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
- Service accounts cannot login to the vCenter after vCenter upgrade to version 8.0 Update 3h
- There is 2FA in ADFS or AD enabled in the environment
- After upgrading to vCenter 8.0.3.00700, vCenter GUI logins for AD user accounts (via ADFS redirect) still succeed, but AD service account logins (via vCenter APIs) are no longer successful after upgrade
Environment
- VMware vCenter server 8.0.3 00700
Cause
- This is expected behaviour
- If the vCenter has both a federation provider and a legacy provider servicing the same domain, then logins by API, Virtual Appliance Management Interface (VAMI), or the vSphere Client in federation accounts by using username and password might be processed by the legacy provider, bypassing federation policies
- This issue has been resolved in this version and build
Resolution
- If you are facing this issue in vCenter 8.0 Update 3h reconfigure the two factor authentication 2FA / MFA policies in ADFS or AD so that their service accounts are not subjected to 2FA. Right now, 2FA is being enforced on the ADFS or AD side, which is why their service accounts cannot login.
- If you face the issue, but do not upgrade to vCenter 8.0 Update 3h, delete the legacy provider servicing the same domain by using the command line sso-config utility to stop user and group enumeration by API, such as PowerCLI Get-VIAccount.
- Read more at Security Issues
Feedback
Yes
No
Powered by
