Error: "Failed to get a access token on host <IPAddress> for tenant <TenantName>" when adding Entra ID provider to vCenter
Article ID: 433271
Updated On:
Products
VMware vCenter Server
Issue/Introduction
When attempting to add an Entra ID provider configuration to the vCenter, the process fails with the below error:
Failed to get a access token on host <IPAddress> for tenant <TenantName>
In vCenter logs: /var/log/VMware/trustmanagement/trustmanagement-svcs.log can see the following error:
[tomcat-exec-7 [] INFO com.vmware.vcenter.trustmanagement.authbroker.BrokerClient opId=] API request GET_CLIENT_CREDENTIALS_TOKEN to url http://localhost:1080/external-vecs/http1/<IpAddress/443/acs/t/<TenantName>/token returned unexpected response code 424 and the following error information: {"error":"server_error","error_description":"Error communicating with external service."}
[tomcat-exec-7 [] ERROR com.vmware.vcenter.trustmanagement.authbroker.BrokerClient opId=] Failed to get a access token on host <IPAddress> for tenant <TenantName>
[tomcat-exec-7 [] ERROR com.vmware.vcenter.trustmanagement.migration.IdpReplacer opId=] Replace operation failed. Attempting rollback. Triggering exception is: Failed to get a access token on host <IPAddress> for tenant <TenantName>
[tomcat-exec-7 [] ERROR com.vmware.vcenter.trustmanagement.migration.IdentityMigration opId=] Error changing identity provider configuration: Failed to get a access token on host <IPAddress> for tenant <TenantName>
com.vmware.vcenter.trustmanagement.authbroker.BrokerException: Failed to get a access token on host <IPAddress> for tenant <TenantName>
at com.vmware.vcenter.trustmanagement.authbroker.BrokerClient.logAndThrow(BrokerClient.java:1137) ~[libservice.jar:?]
at com.vmware.vcenter.trustmanagement.authbroker.BrokerClient.generateTokenResponse(BrokerClient.java:177) ~[libservice.jar:?]
at com.vmware.vcenter.trustmanagement.authbroker.BrokerClient.generateMasterAccessToken(BrokerClient.java:140) ~[libservice.jar:?]
at com.vmware.vcenter.trustmanagement.authbroker.TenantInitializer.initializeBrokerTenant(TenantInitializer.java:274) ~[libservice.jar:?]
at com.vmware.vcenter.trustmanagement.authbroker.TenantInitializer.ensureTenantInitialized(TenantInitializer.java:260) ~[libservice.jar:?]
at com.vmware.vcenter.trustmanagement.authbroker.TenantInitializer.init(TenantInitializer.java:136) ~[libservice.jar:?]
at com.vmware.vcenter.trustmanagement.authbroker.BrokerAccess.initializeTenant(BrokerAccess.java:1034) ~[libservice.jar:?]
at com.vmware.vcenter.trustmanagement.authbroker.BrokerAccess$RequestRunner.execute(BrokerAccess.java:960) ~[libservice.jar:?]
at com.vmware.vcenter.trustmanagement.authbroker.BrokerAccess.getTenantAdminClientTokenInfo(BrokerAccess.java:313) ~[libservice.jar:?]
at com.vmware.vcenter.trustmanagement.authbroker.BrokerAccess.getTenantReadClientTokenInfo(BrokerAccess.java:348) ~[libservice.jar:?]
at com.vmware.vcenter.trustmanagement.impl.AuthBrokerIdp.list(AuthBrokerIdp.java:1426) ~[libservice.jar:?]
at com.vmware.vcenter.trustmanagement.impl.AuthBrokerIdp.list(AuthBrokerIdp.java:1399) ~[libservice.jar:?]
...snip...
Caused by: com.vmware.vcenter.trustmanagement.authbroker.BrokerClient$HttpStatusException: API request GET_CLIENT_CREDENTIALS_TOKEN failed with response code 424 (Failed Dependency)
Environment
vCenter 9.x
Cause
If the host in the error message is listed as an IP address, this means the vCenter was deployed using an IP instead of FQDN.
vCenter 9 requires fully functioning DNS (reverse and forward) of the name. During lookup operations, if the IP used resolves to a name it can then prevent services from communicating which causes the Entra ID token setup to fail.
Resolution
- Change the PNID (Primary Network Identifier) to be a FQDN. Afterwards update all services and endpoints to utilize the new FQDN. See: Reconfigure the Primary Network Identifier and Using LSDoctor tool to rebuild endpoints
OR
- If the vCenter is a new deployment if may be easier to re-deploy vCenter using the correct FQDN instead of IP address.
Feedback
Yes
No
Powered by
