Unable to log in to vCenter with Entra ID credentials
search cancel

Unable to log in to vCenter with Entra ID credentials

book

Article ID: 390375

calendar_today

Updated On:

Products

VMware vCenter Server 8.0 VMware Cloud Foundation

Issue/Introduction

  • Entra ID users when attempting to login to the vCenter is unable to authenticate the user with an "Access Denied" error.

  • In vCenter /var/log/vmware/vc-ws1a-broker/federation-service.log you see entries similar to:

    ERROR vCenter.example.com:federation (vert.x-eventloop-thread-#) [-;-;-;-;-;-] com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationService - Token endpoint failed io.vertx.core.impl.NoStackTraceThrowable: invalid_client: AADSTS7000222: The provided client secret keys for app '####-####-####-####-#############' are expired...

    OR

    ERROR vcenter.example.com:federation (vert.x-eventloop-thread-#) [-;-;-;-;-;-] com.vmware.vidm.federation.authenticator.oidc.OidcAuthenticationService - Token endpoint failed io.vertx.core.impl.NoStackTraceThrowable: invalid_client: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app

Environment

VMware vCenter 8.x

Cause

The client secret key on Microsoft Azure has expired or the value is incorrectly added to the configuration in vCenter.

Resolution

  1. Log in to the Azure Portal:
    1. Navigate to https://portal.azure.com and log in with your credentials.

  2. Locate Your App Registration:
    1. In the left-hand menu, select "Azure Active Directory."
    2. Under "Manage," select "App registrations."
    3. Find and select the app registration corresponding to the app ID '####-####-####-####-##########'.

  3. Add a New Client Secret:
    1. Under "Manage," select "Certificates & secrets."
    2. In the "Client secrets" section, click "New client secret."
    3. Add a description for the new client secret (e.g., "New client secret").
    4. Click "Add."

  4. Update Your vCenter with the New Client Secret:
    1. After creating the new client secret, copy the value displayed. 
    2. Update your vCenter's configuration with the new client secret value.

Additional Information

  • Refer to the attached document for the step-by-step procedure to reconfigure the New Client Secret. See page 14, step 27 for detailed instructions.

For additional information refer to  How to Enable Entra ID for vCenter Server

  •  In some scenarios, Log entries may also be seen:
    Caused by: io.vertx.core.impl.NoStackTraceThrowable: invalid_client: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '############'. Trace ID: ############ Correlation ID: ############ Timestamp: YYYY-MM-DDTHH:MM:SSZ

YYYY-MM-DDTHH:MM:SS,285 WARN  ############:federation (federation-business-pool-0) [CUSTOMER;-;############] ############ - Failed to process OIDC authentication
YYYY-MM-DDTHH:MM:SS,285 INFO  ############:federation (federation-business-pool-0) [CUSTOMER;-;############;-;############] ############ - Metric published: com.vmware.vidm.common.metrics.model.Metrics@22161bd3
YYYY-MM-DDTHH:MM:SS,285 INFO  ############:federation (federation-business-pool-0) [CUSTOMER;-;############;-;############] com.vmware.vidm.federation.utils.MetricsPublisherUtil - OIDC authentication failed
YYYY-MM-DDTHH:MM:SS,296 INFO  ############:federation (federation-business-pool-0) [CUSTOMER;-;############;-;############] ############ - Deny access based on ruleset resolution result for login contextId: ############ with reason code: AUTH_FAILED
YYYY-MM-DDTHH:MM:SS,297 INFO  ############(federation-business-pool-0) [CUSTOMER;-;############;-;############] com.vmware.vidm.federation.login.LoginEventServiceAspect - Failing login. contextUuid: ############, exception: com.vmware.vidm.federation.login.AccessDeniedException: Access denied with reason code: AUTH_FAILED, isAuthenticationForced: false
YYYY-MM-DDTHH:MM:SS,297 INFO  ############:federation (federation-business-pool-0) [CUSTOMER;-;############;-;############] com.vmware.vidm.federation.utils.MetricsPublisherUtil - Login failed due to reason: AUTH_FAILED
YYYY-MM-DDTHH:MM:SS,297 INFO  ############:federation (federation-business-pool-0) [CUSTOMER;-;############;-;############] com.vmware.vidm.federation.exception.handler.LoginExceptionHandler - Access denied for login context: ############
YYYY-MM-DDTHH:MM:SS,528 INFO ############:federation (scheduled-metrics-publisher-1) [-;-;-;-;-;-] ############ - Metric published: com.vmware.vidm.common.metrics.model.Metrics@13446751
YYYY-MM-DDTHH:MM:SS,286 INFO  ############:federation (vert.x-eventloop-thread-0) [-;-;-;-;-;-] org.bouncycastle.jsse.provider.ProvTlsClient - [client #22 @796be239] disconnected from login.microsoftonline.com:443

If the log entries match the examples above, follow the steps in the Resolution section to fix the issue

Entra ID 認証を使用したvCenter へのログインができない

Attachments

Step-by-step-procedure-to-configure-azure-ad-federation-on-vcenter-server_v3.pdf get_app
Powered by Wolken Software