Enabling Entra ID authentication causes log in failure for users with a '!' character in their username
search cancel

Enabling Entra ID authentication causes log in failure for users with a '!' character in their username

book

Article ID: 428399

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • After successful set up of Entra ID authentication in vCenter 8.x, domain users whose usernames contain the '!' character are no longer able to access vCenter.
  •  vCenter log /var/log/vmware/vc-ws1a-broker/federation-service.log will show USER_NOT_FOUND error on log in attempts: 
  • YYYY-MM-DDTHH:MM:SS INFO  vcenter.example.com:federation (federation-business-pool-0) [CUSTOMER;-;IP.##.##.##.##;#########-TASK-UUID-#############;-;########-USER-LOGIN-UUID-###########] com.vmware.vidm.federation.login.LoginEventServiceAspect - Failing login. contextUuid: ########-####-####-###########, exception: com.vmware.vidm.federation.login.AccessDeniedException: Access denied with reason code: USER_NOT_FOUND, isAuthenticationForced: false
YYYY-MM-DDTHH:MM:SS INFO  vcenter.example.com:federation (federation-business-pool-0) [CUSTOMER;-;IP.##.##.##.##;#########-TASK-UUID-#############;-;########-USER-LOGIN-UUID-###########] com.vmware.vidm.federation.utils.MetricsPublisherUtil - Login failed due to reason: USER_NOT_FOUND
YYYY-MM-DDTHH:MM:SS INFO  vcenter.example.com:federation (federation-business-pool-0) [CUSTOMER;-;IP.##.##.##.##;#########-TASK-UUID-#############;-;########-USER-LOGIN-UUID-###########] com.vmware.vidm.federation.exception.handler.LoginExceptionHandler - Access denied for login context: ########-####-####-###########
  • Entra ID logging for the attempt will show the following:
  • ErrorCode

SystemForCrossDomainIdentityManagementServiceIncompatible

ErrorMessage

Received response from Web resource. Resource: https://vcenter.example.com/Users?filter=userName+eq+"<!username>" Operation: GET Response Status Code: BadRequest Response Headers: x-xss-protection: 1; mode=block strict-transport-security: max-age=31536000 x-content-type-options: nosniff x-frame-options: SAMEORIGIN content-security-policy: default-src blob: https: 'self' ; script-src 'unsafe-inline' 'unsafe-eval' https: 'self' ; style-src 'unsafe-inline' https: 'self'; img-src https: data: 'self'; frame-ancestors 'self' pragma: no-cache x-envoy-upstream-service-time: 10 Cache-Control: no-store, no-cache Date: YYYY-MM-DD:HH:MM:SS GMT Response Content: {"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":"400","scimType":"invalidFilter","detail":"Errors:\nInvalid username. Max length is 150 characters. The allowed symbols are letters, digits (0-9), space, and ()-_.@\n"} . This operation was retried 0 times. It will be retried again after this date: YYYY-MM-DD:HH:MM:SS

ReportableIdentifier

[email protected]

Environment

VMware vCenter 8.x

Cause

The '!' character is currently not an allowed symbol to access the VIDB, so users containing '!' character will fail to log in.

Resolution

Engineering is aware of this issue, and this will be resolved in an upcoming vCenter patch.

Powered by Wolken Software