Login to vCenter 9.x with Entra ID account fails with "Access denied, Unable to authenticate the user" due to Unique Identifier mismatch
search cancel

Login to vCenter 9.x with Entra ID account fails with "Access denied, Unable to authenticate the user" due to Unique Identifier mismatch

book

Article ID: 437271

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • When attempting to log in to VMware Cloud Foundation Operations 9.0 using Microsoft Entra SSO (OIDC/SCIM), users encounter the following error message:

"Access denied, Unable to authenticate the user"

  • The following error entries were identified within the vCenter Server in /var/log/vmware/vc-ws1a-broker/federation-service.log:

    YYYY-MM-DDTHH:MM:SS INFO  VC-FQDN:federation (federation-business-pool-0) [CUSTOMER;-;##.##.##.##;Request-ID;-;-] com.vmware.vidm.federation.login.context.LoginContextManager - Created new login context with id: Login-ID
YYYY-MM-DDTHH:MM:SS INFO  VC-FQDN:federation (federation-business-pool-0) [CUSTOMER;-;##.##.##.##;Session-ID;-;-] com.vmware.vidm.federation.login.context.LoginContextManager - Loaded login context: Login-ID
YYYY-MM-DDTHH:MM:SS WARN  VC-FQDN:federation (federation-business-pool-0) [CUSTOMER;-;##.##.##.##;Session-ID;-;Login-ID] com.vmware.vidm.federation.login.context.LoginContextManager - User agent changed during login flow from null to Mozilla/ (Windows NT ; Win64; x64) AppleWebKit/ (KHTML, like Gecko) Chrome/ Safari/
YYYY-MM-DDTHH:MM:SS WARN  VC-FQDN:federation (federation-business-pool-0) [CUSTOMER;-;##.##.##.##;Session-ID;-;Login-ID] com.vmware.vidm.federation.login.context.LoginContextManager - Client IP changed during login flow from null to ##.##.##.##
YYYY-MM-DDTHH:MM:SS INFO  VC-FQDN:federation (federation-business-pool-0) [CUSTOMER;-;##.##.##.##;Session-ID;-;Login-ID] com.vmware.vidm.federation.utils.MetricsPublisherUtil - OIDC authentication successful
YYYY-MM-DDTHH:MM:SS INFO  VC-FQDN:federation (federation-business-pool-0) [CUSTOMER;-;##.##.##.##;Session-ID;-;Login-ID] com.vmware.vidm.federation.login.processor.AuthResponseUserResolver - Fetching user for jit login context: Login-ID on attribute [email protected], domains: [domain.com]
YYYY-MM-DDTHH:MM:SS WARN  VC-FQDN:federation (ForkJoinPool-2-worker) [CUSTOMER;-;##.##.##.##;Session-ID;-;Login-ID] com.vmware.vidm.federation.login.processor.AuthResponseUserResolver - User fetching exception with nameId [email protected], nameIdFormat ExternalID, and domains [domain.com], user not found
YYYY-MM-DDTHH:MM:SS INFO  VC-FQDN:federation (federation-business-pool-0) [CUSTOMER;-;##.##.##.##;Session-ID;-;Login-ID] com.vmware.vidm.federation.login.LoginEventServiceAspect - Failing login. contextUuid: Login-ID, exception: com.vmware.vidm.federation.login.AccessDeniedException: Access denied with reason code: USER_NOT_FOUND, isAuthenticationForced: false
YYYY-MM-DDTHH:MM:SS INFO  VC-FQDN:federation (federation-business-pool-0) [CUSTOMER;-;##.##.##.##;Session-ID;-;Login-ID] com.vmware.vidm.federation.utils.MetricsPublisherUtil - Login failed due to reason: USER_NOT_FOUND
YYYY-MM-DDTHH:MM:SS INFO  VC-FQDN:federation (federation-business-pool-0) [CUSTOMER;-;##.##.##.##;Session-ID;-;Login-ID] com.vmware.vidm.federation.exception.handler.LoginExceptionHandler - Access denied for login context: Login-ID

Environment

  • VMware Cloud Foundation 9.x
  • vCenter 9.x

Cause

This issue occurs because of a mismatch between the Unique Identifier expected by VCF SSO and the claim sent by Microsoft Entra ID.

In the OIDC configuration within VCF SSO, the Unique Identifier attribute is set to email. However, the Entra ID user token typically maps the oid (Object ID) as the unique identifier.

Because VCF attempts to resolve the user using an attribute that does not match the provided claim, it fails with a USER_NOT_FOUND error despite a successful OIDC handshake.

Resolution

Change the Unique Identifier in the VCF SSO configuration to the user oid instead of email by following the steps below:

  1. Log in to the VCF Operations UI.
  2. Select Fleet Management > Identity & Access.
  3. Select the Instance from VCF Instances and click on Identity Source.
  4. Click Edit to modify the VCF SSO configuration.
  5. Modify the value of Unique Identifier from email to oid.
  6. Enter the Shared secret for the Entra ID Application. (It is mandatory to enter the Secret for any changes to the Identity Source configuration).
  7. Save the configuration changes.
  8. Retry logging in to vCenter Server using the Entra ID account.
Powered by Wolken Software