Entra ID SCIM Provisioning fails with Error code "CredentialValidationUnavailable" or "SystemForCrossDomainIdentityManagementCredentialValidationUnavailable" during Test Connection
search cancel

Entra ID SCIM Provisioning fails with Error code "CredentialValidationUnavailable" or "SystemForCrossDomainIdentityManagementCredentialValidationUnavailable" during Test Connection

book

Article ID: 428509

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • The Microsoft Entra Provisioning Agent (running on the on-premises Windows Server) fails to establish a valid HTTPS handshake with the vCenter Server.

  • The following error messages can be see while testing connection:

    • Error code: CredentialValidationUnavailable Error details:

      We received this unexpected response from your application: Received response from Web resource. Resource: https://<vc-fqdn>/scim/v2/Users... Operation: GET Response Status Code: InternalServerError

    • Error code: SystemForCrossDomainIdentityManagementCredentialValidationUnavailable
      Details: We received this unexpected response from your application:

      Response Content: System.Net.WebException\\r\\nThe underlying connection was closed: Could not establish trust relationship for the SSL\\\/TLS secure channel
      Type: System.Security.Authentication.AuthenticationException\\r\\nThe remote certificate is invalid according to the validation procedure

Environment

vCenter Server 8.x

Cause

This error occurs because the Microsoft Entra Provisioning Agent cannot establish a valid HTTPS handshake with the vCenter Server. This may be caused by one of the following issues:

  • DNS Resolution Failure: The Agent VM cannot resolve the vCenter FQDN to an IP address.

  • SSL Trust Issues: The Windows OS hosting the Agent does not trust the vCenter Server's Root Certificate Authority (CA), causing the connection to drop silently.

Resolution

Ensure the Provisioning Agent host can resolve and trust the vCenter Server.

Verify and Fix DNS Resolution 

  1. Log in to the Windows Server hosting the Entra Provisioning Agent.

  2. Open Command Prompt (cmd.exe).

  3. Run the command: nslookup <vcenter_fqdn>

    • If this fails: The machine is using the wrong DNS server or requires a local Host File entry.

  4. Action: Update the Network Adapter settings to point to the correct DNS server, or add the vCenter IP and FQDN to C:\Windows\System32\drivers\etc\hosts.

  5. Verify: Run Ping <vcenter_fqdn> to confirm reachability.

Validate SSL Trust Issues

  1. On the Agent VM, open a web browser (Edge/Chrome).

  2. Navigate to the SCIM endpoint: https://<vcenter_fqdn>/scim/v2

  3. Check: Does the address bar show a "Not Secure" or Certificate Error warning?

    • If Yes: Download the root certificate from vCenter (https://<vcenter_fqdn>/certs/download.zip) and install the relevant CA cert into the Local Machine > Trusted Root Certification Authorities store on the Agent VM.

Powered by Wolken Software