Login to vCenter 9.x with Entra Account fails with error "Access denied. Unable to authenticate the user" in the UI and "User fetching exception with nameId" in the logs.
search cancel

Login to vCenter 9.x with Entra Account fails with error "Access denied. Unable to authenticate the user" in the UI and "User fetching exception with nameId" in the logs.

book

Article ID: 431031

calendar_today

Updated On:

Products

VMware Cloud Foundation VMware vCenter Server

Issue/Introduction

  • Microsoft Entra Identity Provider with SCIM Provisioning is configured as VCF SSO. However, vCenter does not allow access via SSO.
  • vSphere Client shows the error "Access denied. Unable to authenticate the user" after entering the credentials, as shown in screenshot below:



  • In an Embedded SSO Deployment type, federation service logs on vCenter shows log snippets below:

    Note: Searching the logs with the UUID shown in the Access Denied error message mentioned above shows these log messages.

    /var/log/vmware/vc-ws1a-broker/federation-service.log

    YYYY-MM-DDTHH:MM:SS,### INFO  <vc_name.example.com>:federation (federation-business-pool-0) [CUSTOMER;-;###.###.###.###;<UID>;-;-] com.vmware.vidm.federation.login.context.LoginContextManager - Created new login context with id: fab7####-####-4cae-####-c7fb########

    YYYY-MM-DDTHH:MM:SS,### INFO  <vc_name.example.com>:federation (vert.x-eventloop-thread-2) [-;-;-;-;-;-] org.bouncycastle.jsse.provider.ProvTlsClient - [client #13 @2147904e] opening connection to login.microsoftonline.com:443
    YYYY-MM-DDTHH:MM:SS,### INFO  <vc_name.example.com>:federation (vert.x-eventloop-thread-2) [-;-;-;-;-;-] org.bouncycastle.jsse.provider.ProvTlsClient - [client #13 @2147904e] established connection with login.microsoftonline.com:443

    YYYY-MM-DDTHH:MM:SS,### INFO  <vc_name.example.com>:federation (federation-business-pool-0) [CUSTOMER;-;###.###.###.###;<UID>;-;fab7####-####-4cae-####-c7fb########] com.vmware.vidm.federation.utils.MetricsPublisherUtil - OIDC authentication successful

    YYYY-MM-DDTHH:MM:SS,### INFO  <vc_name.example.com>:federation (federation-business-pool-0) [CUSTOMER;-;###.###.###.###;<UID>;-;fab7####-####-4cae-####-c7fb########] com.vmware.vidm.federation.login.processor.AuthResponseUserResolver - Fetching user for jit login context: fab7####-####-4cae-####-c7fb######## on attribute ExternalId=priq9X################################SgCJUs, domains: [example.com]

    YYYY-MM-DDTHH:MM:SS,### WARN  <vc_name.example.com>:federation (ForkJoinPool-2-worker-1571) [CUSTOMER;-;###.###.###.###;<UID>;-;fab7####-####-4cae-####-c7fb########] com.vmware.vidm.federation.login.processor.AuthResponseUserResolver - User fetching exception with nameId priq9X################################SgCJUs, nameIdFormat ExternalId, and domains [example.com], user not found
    YYYY-MM-DDTHH:MM:SS,### INFO  <vc_name.example.com>:federation (federation-business-pool-0) [CUSTOMER;-;###.###.###.###;<UID>;-;fab7####-####-4cae-####-c7fb########] com.vmware.vidm.federation.login.LoginEventServiceAspect - Failing login. contextUuid: fab7####-####-4cae-####-c7fb########, exception: com.vmware.vidm.federation.login.AccessDeniedException: Access denied with reason code: USER_NOT_FOUND, isAuthenticationForced: false
    YYYY-MM-DDTHH:MM:SS,### INFO  <vc_name.example.com>:federation (federation-business-pool-0) [CUSTOMER;-;###.###.###.###;<UID>;-;fab7####-####-4cae-####-c7fb########] com.vmware.vidm.federation.utils.MetricsPublisherUtil - Login failed due to reason: USER_NOT_FOUND
    YYYY-MM-DDTHH:MM:SS,### INFO  <vc_name.example.com>:federation (federation-business-pool-0) [CUSTOMER;-;###.###.###.###;<UID>;-;fab7####-####-4cae-####-c7fb########] com.vmware.vidm.federation.exception.handler.LoginExceptionHandler - Access denied for login context: fab7####-####-4cae-####-c7fb########

Environment

  • VCF 9.x
  • vCenter 9.x

Cause

This is caused when the Unique Identifier in OIDC attribute on VCF SSO is set to sub. However, EntraID user token has oid mapped to the user's Object Id as unique identifier. 

Resolution

Change the Unique Identifider in VCF SSO configuration to user oid instead of sub by following steps below:

  1. Login to VCF Operations UI.
  2. Select Fleet Management -> Identity & Access.
  3. Select the Instance from VCF Instances and Click on Identity Source.
  4. Click Edit to modify the VCF SSO configuration.



  5. Modify the value of Unique Identifier from sub to oid:

    From:


    To:


  6. Enter the Shared secret for the EntraID Application. It is mandatory to enter the Secret for any changes to the Identity Source configuration.



  7. Save the configuration changes.



  8. Retry login to vCenter Server using the EntraID account.
Powered by Wolken Software