Entra ID User Provisioning Fails for vCenter Server. Error: SystemForCrossDomainIdentityManagementCredentialValidationFailure
search cancel

Entra ID User Provisioning Fails for vCenter Server. Error: SystemForCrossDomainIdentityManagementCredentialValidationFailure

book

Article ID: 430118

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

User provisioning fails in Microsoft Entra ID (formerly Azure AD) with below error:

Test connection to target application
Failed to test connection to target application
Error code
SystemForCrossDomainIdentityManagementCredentialValidationFailure
Error message
While attempting to validate our authorization to access your application, we received this unexpected response:

Received response from Web resource.
   Resource: https://<vcenter_fqdn>/Users?filter=userName+eq+"########-###########"
   Operation: GET 
   Response Status Code: Unauthorized
   Response Headers: x-xss-protection: 1; mode=block
strict-transport-security: max-age=########
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-security-policy: default-src blob: https: 'self' ; script-src 'unsafe-inline' 'unsafe-eval' https: 'self' ; style-src 'unsafe-inline' https: 'self'; img-src https: data: 'self'; frame-ancestors 'self'
x-envoy-upstream-service-time: ##
Date: Day, DD MMM YYYY hh:mm:ss Timezone
   Response Content: {"errors":[{"code":"401","message":"Unauthorized"}]}

Environment

  • vCenter Server 8.0

Cause

The SCIM integration in vCenter Server relies on a Secret Token with a defined lifespan (default is typically 6 months). When this token expires or is manually revoked, Entra ID fails the "Test Connection" and user provisioning tasks with the error SystemForCrossDomainIdentityManagementCredentialValidationFailure.

The HTTP 401 Unauthorized response indicates that while the network path is open, the bearer token presented in the request header is rejected by the VMware Identity Service.

Resolution

Regenerate Secret Token in vCenter

  1. Log in to the vSphere Client with Administrator privileges.
  2. Navigate to Administration > Single Sign-On > Configuration.
  3. Select the Identity Provider tab.
  4. Locate the configured Entra ID provider and scroll down to the User Provisioning section.
  5. Click Regenerate (or Generate if one does not exist) next to the Secret Token field.
  6. Copy the new token immediately.
    Note: This token is not stored in plain text in vCenter and cannot be retrieved later.

Update Entra ID Provisioning Configuration

  1. Log in to the Microsoft Entra admin center.
  2. Navigate to Enterprise Applications > All Applications.
  3. Select your vCenter SCIM/Provisioning Application.
  4. In the left sidebar, click Provisioning, then click Edit Provisioning.
  5. Expand the Admin Credentials section.
  6. Paste the new token into the Secret Token field.
  7. Click Test Connection to verify.
  8. Once verified, click Save.
Powered by Wolken Software