Configuring External Identity Provider on vCenter fails with the error: "Missing required field 'directory_list' in JSON"
search cancel

Configuring External Identity Provider on vCenter fails with the error: "Missing required field 'directory_list' in JSON"

book

Article ID: 436210

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Configuring External Identity Provider on vCenter fails with error "Missing required field 'directory_list' in JSON"

vSphere Client will show below error message:

In the /var/log/vmware/trustmanagement/trustmanagement-svcs.log:

YYYY-MM-DDTHH:MM:SS.MSSZ [tomcat-exec-6 [] ERROR com.vmware.vcenter.trustmanagement.migration.IdpReplacer  opId=] Broker exception deleting Auth Broker IDP #####-####-####-####-#########
com.vmware.vcenter.trustmanagement.authbroker.BrokerException: Missing required field 'directory_list' in JSON
        at com.vmware.vcenter.trustmanagement.authbroker.ApiRequest.checkField(ApiRequest.java:547) ~[libservice.jar:?]
        at com.vmware.vcenter.trustmanagement.authbroker.ApiRequest.getFieldAsJsonArray(ApiRequest.java:593) ~[libservice.jar:?]
        at com.vmware.vcenter.trustmanagement.authbroker.IdentityProviderConfig.<init>(IdentityProviderConfig.java:209) ~[libservice.jar:?]
        at com.vmware.vcenter.trustmanagement.authbroker.IdentityProviderConfig.<init>(IdentityProviderConfig.java:20) ~[libservice.jar:?]
        ...
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) [tomcat-embed-core-9.0.87.jar:9.0.87]
        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) [tomcat-embed-core-9.0.87.jar:9.0.87]
        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) [tomcat-embed-core-9.0.87.jar:9.0.87]
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) [tomcat-embed-core-9.0.87.jar:9.0.87]
        at java.lang.Thread.run(Thread.java:750) [?:1.8.0_401]
YYYY-MM-DDTHH:MM:SS.MSSZ [tomcat-exec-6 [] ERROR com.vmware.vcenter.trustmanagement.migration.IdpReplacer  opId=] Replace operation failed. Attempting rollback. Triggering exception is: Missing required field 'directory_list' in JSON
YYYY-MM-DDTHH:MM:SS.MSSZ [tomcat-exec-6 [] ERROR com.vmware.vcenter.trustmanagement.migration.IdentityMigration  opId=] Error changing identity provider configuration: Missing required field 'directory_list' in JSON
com.vmware.vcenter.trustmanagement.authbroker.BrokerException: Missing required field 'directory_list' in JSON

 

The federation-service.log shows that vCenter is failing to register itself with the internal Access Control Service (ACS):

YYYY-MM-DDTHH:MM:SS.MSSZ INFO  <vcenter-fqdn> () [-;-;-;-;-;-] com.vmware.vidm.federation.AcsMetadataRegistrar - Starting ACS metadata registration, retryAttempt=4
YYYY-MM-DDTHH:MM:SS.MSSZ WARN  <vcenter-fqdn> (ForkJoinPool-2-worker-4) [-;-;-;-;-;-] com.vmware.vidm.common.gateway.mesh.GatewayAuthProvider - Failed to acquire token, returning cached token - Optional.empty, ScBadRequestException[Operation: POST -> http://localhost:10114/acs/token][Status:400]
YYYY-MM-DDTHH:MM:SS.MSSZ WARN  <vcenter-fqdn> (ForkJoinPool-2-worker-3) [-;-;-;-;-;-] com.vmware.vidm.common.gateway.mesh.GatewayAuthProvider - Authentication failure, purging cached GatewayToken.
YYYY-MM-DDTHH:MM:SS.MSSZ ERROR <vcenter-fqdn> (ForkJoinPool-2-worker-3) [-;-;-;-;-;-] com.vmware.vidm.federation.AcsMetadataRegistrar - Failed to register metadata with ACS: {"errors":[{"code":"401","message":"Unauthorized"}]}, will retry again in 1 seconds ScUnauthorizedException[Operation: POST -> http://localhost:10114/acs/services][Status:401]
        at com.vmware.vidm.common.http.client.exception.HttpServerExceptionFactory.aHttpServerException(HttpServerExceptionFactory.java:59)
        at com.vmware.vidm.common.http.client.exception.HttpServerExceptionFactory.aHttpServerException(HttpServerExceptionFactory.java:26)
        at com.vmware.vidm.common.http.client.Request.verify(Request.java:651)
        at java.base/java.util.concurrent.CompletableFuture$UniApply.tryFire(Unknown Source)
        at java.base/java.util.concurrent.CompletableFuture.postComplete(Unknown Source)

 

In the vc-ws1a-broker/token-service.log:

YYYY-MM-DDTHH:MM:SS.MSSZ WARN  <vcenter-fqdn>:token (ForkJoinPool-2-worker-1) [;;;;] com.vmware.vidm.common.resiliency.circuitbreaker.CircuitBreakers - Exception during execution inside circuit breaker LOCALHOST java.util.concurrent.CompletionException: io.netty.channel.AbstractChannel$AnnotatedConnectExceptio
n: Connection refused: localhost/127.0.0.1:10114
        at com.vmware.vidm.common.http.client.vertx.VertxHttpClient.handleException(VertxHttpClient.java:224)
        at com.vmware.vidm.common.http.client.vertx.VertxHttpClient.lambda$execute$0(VertxHttpClient.java:82)
        at java.base/java.util.concurrent.CompletableFuture.uniHandle(Unknown Source)
        at java.base/java.util.concurrent.CompletableFuture$UniHandle.tryFire(Unknown Source)
        at java.base/java.util.concurrent.CompletableFuture$Completion.run(Unknown Source)
        at com.vmware.vidm.common.async.ContextPassingExecutor.lambda$wrap$0(ContextPassingExecutor.java:48)
        at java.base/java.util.concurrent.ForkJoinTask$RunnableExecuteAction.exec(Unknown Source)
        at java.base/java.util.concurrent.ForkJoinTask.doExec(Unknown Source)
        at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(Unknown Source)
        at java.base/java.util.concurrent.ForkJoinPool.scan(Unknown Source)

Cause

Stale Identity Broker Object existing in the vCenter Database.

Resolution

  1. Before troubleshooting, take backup of the vCenter appliance. If the vCenter are in linked mode, take offline snapshot of all the vCenter Servers that are in the linked mode. Refer: VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice
  2. Remove existing IdP in vCenter SSO configuration page by changing back to “Embedded” SSO IdP.

    • At first the SSO configuration page may list the previous IdP entries. Wait a couple minutes and refresh the page. It should only show the default IdP info for the local SSO.
  3. To remove the Stale Identity Broker Object, follow the resolution steps provided in the kb: Could not create indirect identity provider: Identity provider with ID <Provider ID> and name Microsoft Entra ID already exists for tenant
  4. Post the removal of the stale entry and re-configure the IDP again from the vCenter UI.

Additional Information

In Step 4, should the command fail with an output similar to:

{"error_type":"ERROR","messages";[{"args":["Missing required field 'directory_list' in JSON"],"default_message":"Missing required field 'directory_list' in JSON","id":"com.vmware.vcenter.trustmanagement.error"}]}

Run the script provided in the kb: SDDC Manager UI error - Unable to compute applicability for drift WorkspaceOneBrokerConfigDrift due to broke vc-ws1a-broker service

Powered by Wolken Software