vCenter 9.0 login fails with "Access Denied" when Entra ID provisions users before attribute mapping is configured
search cancel

vCenter 9.0 login fails with "Access Denied" when Entra ID provisions users before attribute mapping is configured

book

Article ID: 440496

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • After configuring Microsoft Entra ID SSO with vCenter Server 9.0, users are unable to log in.
  • Users successfully authenticate with Entra ID but are redirected to a vCenter page displaying "Access Denied."
  • vCenter Server logs (/var/log/vmware/vc-ws1a-broker/federation-service.log) contain entries similar to: 
    WARN ... com.vmware.vidm.federation.login.processor.AuthResponseUserResolver - User fetching exception with nameId <UUID>, nameIdFormat ExternalId, and domains [domain.local], user not found
INFO ... com.vmware.vidm.federation.login.LoginEventServiceAspect - Failing login. ... exception: com.vmware.vidm.federation.login.AccessDeniedException: Access denied with reason code: USER_NOT_FOUND

Environment

vCenter Server 9.0

VMware Cloud Foundation 9.0

VMware vSphere Foundation 9.0

Cause

This issue may occur if user synchronization is performed before the Entra ID attribute mapping is configured in vCenter Server.

In this scenario, user records are initialized in the vCenter Server Database (VCDB) with default mapping values. This creates a mismatch between the stored ExternalId and the ObjectId defined in Entra ID provided during the OIDC handshake.
Because vCenter Server uses the externalId to identify synchronized users, it cannot locate the user record during subsequent login attempts, resulting in an "Access Denied" error.

Resolution

1. Verify Entra ID Claim Mapping

Ensure that the Entra ID Enterprise Application is sending the correct attribute as the unique identifier.

  • In the Entra ID portal, verify that the Unique User Identifier (Name ID) or the OIDC claim mapped to externalId is set to objectid.

  • See KB 322179 for detail configuration.

2. Isolate the Issue with a New User (Workaround)

Create a new user in Entra ID and assign them to the vCenter groups, then attempt to log in.

Note: If this login is successful, your SSO configuration is correct, and the issue is isolated to existing user record mismatches. If you choose to use this new user as a workaround for ongoing operations, you can skip the remaining steps.

3. Clear and Re-synchronize Identity Data (Recommended Resolution)

If you need to remediate the existing affected users, proceed with this step to reset and refresh the synchronized data:

  • In vSphere Client, navigate to Administration > Single Sign-On > Configuration.

  • Change the Identity Provider temporarily back to Embedded (Default). This action typically clears the synchronized SCIM user data from the vCenter database.

  • Re-configure or edit the Entra ID provider to re-trigger a full SCIM synchronization. This will populate the VCDB with the current and correct externalId values.

Additional Information

Configuring Microsoft Entra ID for vCenter Server

Login to vCenter Server with Entra ID user fails with USER_NOT_FOUND

Powered by Wolken Software