Error: "Could not create indirect identity provider" when configuring Entra ID provider to vCenter
search cancel

Error: "Could not create indirect identity provider" when configuring Entra ID provider to vCenter

book

Article ID: 428249

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • When attempting to add an Entra ID provider configuration to the vCenter, the process fails with the below error,

"Could not create indirect identity provider."

 

  • In vCenter  /var/log/vmware/trustmanagement/trustmanagement-svcs.log below entries are seen,

[YYYY-MM-DDTHH:MM:SS] [tomcat-exec-17 [] ERROR com.vmware.vcenter.trustmanagement.migration.IdpReplacer  opId=] Replace operation failed. Attempting rollback. Triggering exception is: Could not create indirect identity provider: VMware Identity services unavailable
[YYYY-MM-DDTHH:MM:SS] [tomcat-exec-17 [] ERROR com.vmware.vcenter.trustmanagement.migration.IdentityMigration  opId=] Error changing identity provider configuration: Could not create indirect identity provider: VMware Identity services unavailable
com.vmware.vcenter.trustmanagement.impl.InternalException: Could not create indirect identity provider

Caused by: com.vmware.vcenter.trustmanagement.authbroker.BrokerException: VMware Identity services unavailable

[YYYY-MM-DDTHH:MM:SS] [tomcat-exec-17 [] INFO  com.vmware.vcenter.trustmanagement.authbroker.BrokerClient  opId=] API request GET_CLIENT_CREDENTIALS_TOKEN to url http://localhost:1080/external-vecs/http1/<vCenter-FQDN>/443/acs/t/customer/token returned unexpected response code 503 and the following error information: no healthy upstream
[YYYY-MM-DDTHH:MM:SS] [tomcat-exec-17 [] ERROR com.vmware.vcenter.trustmanagement.authbroker.BrokerClient  opId=] VMware Identity services unavailable
[YYYY-MM-DDTHH:MM:SS] [tomcat-exec-17 [] ERROR com.vmware.vcenter.trustmanagement.migration.IdpReplacer  opId=] Failed to create Auth Broker IDP com.vmware.vcenter.trustmanagement.authbroker.BrokerException: VMware Identity services unavailable

 

  • In vCenter  /var/log/vmware/vc-ws1a-broker/federation-service.log below entries are seen,

[YYYY-MM-DDTHH:MM:SS],583 WARN  <vCenter-FQDN>:federation (ForkJoinPool-2-worker-62468) [-;-;-;-;-;-] com.vmware.vidm.common.gateway.mesh.GatewayAuthProvider - Failed to acquire token, returning cached token - Optional[GatewayToken[Hash:21####3949 , Expiry:[yyyy-mm-dd]][Errors:0]], io.netty.channel.AbstractChannel$AnnotatedConnectException: Connection refused: localhost/127.0.0.1:10114
[YYYY-MM-DDTHH:MM:SS],588 INFO  <vCenter-FQDN>:federation (Gateway-Token-Refresher-18####6423) [-;-;-;-;-;-] com.vmware.vidm.common.gateway.mesh.GatewayAuthProvider - Invalid Token - [Now: [YYYY-MM-DDTHH:MM:SS].588633548Z] - GatewayToken[Hash:21####3949 , Expiry:[yyyy-mm-dd]][Errors:0]
[YYYY-MM-DDTHH:MM:SS],588 INFO  <vCenter-FQDN>:federation (Gateway-Token-Refresher-18####6423) [-;-;-;-;-;-] com.vmware.vidm.common.gateway.mesh.GatewayAuthProvider - Invalid Token - [Now: [YYYY-MM-DDTHH:MM:SS].588739438Z] - GatewayToken[Hash:21####3949 , Expiry:[yyyy-mm-dd]][Errors:0]
[YYYY-MM-DDTHH:MM:SS],590 WARN  <vCenter-FQDN>:federation (vert.x-eventloop-thread-4) [-;-;-;-;-;-] com.vmware.vidm.common.async.RetryCompletableFuture - Failed after max retries: 0 java.util.concurrent.CompletionException: io.netty.channel.AbstractChannel$AnnotatedConnectException:
Connection refused:localhost/127.0.0.1:10114

 

  • In vCenter /var/log/vmware/vc-ws1a-broker/token-service.log below entries are seen,

    [YYYY-MM-DDTHH:MM:SS] 3 WARN  FQDN:federation (ForkJoinPool-2-worker-2) [-;-;-;-;-;-] com.vmware.vidm.common.gateway.mesh.GatewayAuthProvider - Failed to acquire token, returning cached token - Optional.empty, io.netty.channel.AbstractChannel$AnnotatedConnectException: Connection refused: localhost/127.0.0.1:10114
    [YYYY-MM-DDTHH:MM:SS] INFO  FQDN:federation (main) [-;-;-;-;-;-] com.vmware.vidm.federation.cds.TenantFeatureProvider - Creating tenant feature cache with ttl seconds: 600, max size: 10000

    Caused by: java.net.ConnectException: Connection refused
            at java.base/sun.nio.ch.Net.pollConnect(Native Method)
            at java.base/sun.nio.ch.Net.pollConnectNow(Unknown Source)
            at java.base/sun.nio.ch.SocketChannelImpl.finishConnect(Unknown Source)
            at io.netty.channel.socket.nio.NioSocketChannel.doFinishConnect(NioSocketChannel.java:337)
            at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.finishConnect(AbstractNioChannel.java:334)
            at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:776)
            at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
            at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
            at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
            at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
            at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
            at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
            at java.base/java.lang.Thread.run(Unknown Source)

Environment

  • vCenter 8.x
  • vCenter 9.0

Cause

During token refresh, the system fetches a global configuration via an HTTP request. Rarely, this request may hang, causing all future attempts to access the configuration to stall and preventing the token from being refreshed.

Resolution

  • Workaround:
    1. SSH into the vCenter Server using root credentials.
    2. Run the following command to restart the broker service:
      • service-control --stop vc-ws1a-broker && service-control --start vc-ws1a-broker
Powered by Wolken Software