Login to HCX 443 UI fails with "Unable to login. Reason:Unauthorized" when vCenter SSO is integrated to Microsoft Entra ID with Multi-Factor Authentication (MFA)

Products

VMware HCX

Issue/Introduction

HCX 443 hybridity UI login fails with "Unable to login. Reason:Unauthorized".
vCenter SSO is integrated to Microsoft Entra ID with Multi-Factor Authentication (MFA) for domain user login.
vCenter domain user login is working fine using Microsoft Entra ID with Multi-Factor Authentication (MFA).

The following error is observed in /common/logs/admin/web.log :

<timestamps> UTC [http-nio-8443-exec-10, , , TxId: ] INFO  c.v.v.h.a.HybridityAuthenticationEntryPoint- AuthenticationEntryPoint - unauthorized request for URI /hybridity/api/sessions
<timestamps> UTC [http-nio-8443-exec-10, , , TxId: ] ERROR c.v.v.h.a.HybridityAuthenticationEntryPoint- AuthenticationEntryPoint - got AuthenticationException
org.springframework.security.authentication.BadCredentialsException: Error validating user <ad-username>: Status code: 500, Reason: Internal Server Error<?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><S:Fault xmlns:ns4="http://www.w3.org/2003/05/soap-envelope"><faultcode xmlns:ns0="http://docs.oasis-open.org/ws-sx/ws-trust/200512">ns0:FailedAuthentication</faultcode><faultstring>Invalid credentials</faultstring></S:Fault></S:Body></S:Envelope>
<timestamps> UTC [http-nio-8443-exec-10, , , TxId: ] ERROR c.v.v.h.a.HybridityAuthenticationEntryPoint- Sending Response Error 401 for /hybridity/api/sessions

The following error is observed in VC logs >> /var/log/vmware/sso/vmware-identity-sts.log :

<timestamps> INFO sts[78:tomcat-http--40] [CorId=####-602e-####-8c1a-ca27b2b0b8de] [com.vmware.identity.sts.impl.STSImpl] Entering issue() token...
<timestamps> ERROR sts[78:tomcat-http--40] [CorId=####-602e-####-8c1a-ca27b2b0b8de] [com.vmware.vcenter.tokenservice.external.identitymanagement.ExternalIdentityManagementProvider] Login failure for user {Name: <username>, Domain: <domain-name>}
javax.security.auth.login.LoginException: Login Failed to server https://<vc-fqdn-ip>/acs/t/CUSTOMER/token with Response code: 400. Message: Bad Request

The following error is observed in VC logs >> /var/log/vmware/vc-ws1a-broker/accesscontrol-service-10.log :

<timestamps> ERROR <vc-fqdn-ip>:accesscontrol (ForkJoinPool-5-worker-4) [CUSTOMER;-;127.0.0.1;####-####-####-ca62d1bea0d2;-;####;password]
com.vmware.vidm.accesscontrol.tokengranter.password.FederationPasswordTokenGranter - FAILURE: Call to Federation failed with status FAILURE and message invalid_grant: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '#######-0000-0000-c000-000000000000'. Trace ID: ####-####-####-ac9093370900 Correlation ID: ####-####-####-a8ba6bae78cb Timestamp: <timestamps>
<timestamps> WARN  <vc-fqdn-ip>:accesscontrol (ForkJoinPool-5-worker-5) [CUSTOMER;-;127.0.0.1;####-####-####-ca62d1bea0d2;-;####;password]
com.vmware.vidm.accesscontrol.resource.auth.TokenResource - Failed during issuing token java.util.concurrent.CompletionException: com.vmware.vidm.accesscontrol.exceptions.oauth2.InvalidGrantException
: invalid.user.or.password

Environment

VMware HCX 9.x
vCenter 8.x
Microsoft Entra ID with multi factor authentication

Cause

Authentication to the HCX UI (port 443) using Active Directory credentials is unsupported when vCenter Single Sign-On is integrated with Microsoft Entra ID enforcing Multi-Factor Authentication (MFA).

Resolution

Authentication to the HCX UI (port 443) using Active Directory credentials is unsupported when vCenter Single Sign-On is integrated with Microsoft Entra ID enforcing Multi-Factor Authentication (MFA). This authentication flow is only supported in VMware Cloud Foundation (VCF) 9.x environments where the VCF Identity Broker is deployed and HCX is configured to use VCF SSO.

WORKAROUND:
Please use VC SSO local accounts.
OR
Configure Microsoft Entra ID without enforcing Multi-Factor Authentication (MFA)

Additional Information

In VMware Cloud Foundation 9.x, the Identity Broker serves as the consolidated authentication gateway for the entire VCF stack, centralizing identity management and facilitating native integration with modern external Identity Providers (IdPs) via OIDC/OAuth2 protocols.
VMware TechDocs: Configure VCF SSO
Deploying VCF Identity Broker
Deployment Modes of the VCF Identity Broker