After patching vCenter to 8.0 U3h, API logins are failing for AD accounts using ADFS identity source
search cancel

After patching vCenter to 8.0 U3h, API logins are failing for AD accounts using ADFS identity source

book

Article ID: 430844

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • After patching a vCenter using ADFS identity source to 8.0 U3h, the AD service account authentication fails when using API logins.

  • Checking /var/log/vmware/sso/vmware-identity-sts.log we see

    INFO sts[66:tomcat-http--28] [CorId=] [com.vmware.vcenter.tokenservice.external.identitymanagement.AdfsIdentityManagementProvider] Refreshed ADFS store data in 3 ms
    ERROR sts[66:tomcat-http--28] [CorId=] [com.vmware.vcenter.tokenservice.external.identitymanagement.AdfsIdentityManagementProvider] Token endpoint request to proxy URL http://localhost:1080/external-vecs/http1/adfs_fqdn/443/adfs/oauth2/token/ failed with response code 400
    ERROR sts[66:tomcat-http--28] [CorId=] [com.vmware.vcenter.tokenservice.external.identitymanagement.AdfsIdentityManagementProvider] Login failure for user {Name: user_name, Domain: domain_name}
    javax.security.auth.login.LoginException: Resource owner password grant authentication failed with response 400 Bad Request
            at com.vmware.vcenter.tokenservice.external.identitymanagement.AdfsIdentityManagementProvider.doResourceOwnerPasswordGrant(AdfsIdentityManagementProvider.java:328)

  • The authentication works fine while on vCenter 8.0 U3e or below.

  • Trying an API based authentication through curl on the vCenter SSH fails with below error:

    # curl --insecure --request POST --url https://localhost/api/session -u "<service account username>:<service account password>"

{"error_type":"UNAUTHENTICATED","messages":[]}

Environment

VMware vCener Server 8.x

Cause

  • Security fix in vCenter 8.0 U3h where a username and password login by API or UI might bypass federation policies such as Multi-Factor Authentication (MFA) or Geofencing.
  • Once on vCenter 8.0 U3h the ADFS policies will be enforced.

Resolution

Validate the following for AD service account in ADFS so we can isolate the issue:

  1. ADFS server must support password grant, this can be checked by checking the well-known openid-configuration endpoint.

    https://<ADFS hostname>/adfs/.well-known/openid-configuration

    The endpoint should list "password" as a support grant type.

      "grant_types_supported": [
    "authorization_code",
    "refresh_token",
    "client_credentials",
    "###",
    "###",
    "password",
    "###",
    ...
  ],

     

  2. Make sure MFA is not enabled for service accounts.

  3. Confirm ADFS server is generating an access token for the impacted account:

    curl -v -k -X POST --location "https://<adfs hostname>/adfs/oauth2/token"  -H "Content-Type: application/x-www-form-urlencoded" --data-urlencode "client_id=<client id>" --data-urlencode "client_secret=<client secret>" --data-urlencode "username=<user@domain>" --data-urlencode 'password=<password>' --data-urlencode "grant_type=password"

     

    A successful request will have the below end of the response:

    {"access_token":"#############################............"}

    Example of failure can look like:

    "Unable to process password_grant request. Password authentication is not enabled on the STS"



With the above error for STS, reach out to ADFS team or Microsoft for further support to address the issue.

Powered by Wolken Software