Tag Archives: ADFS

Vcenter 7.0 with ADFS IDP connecting with Powercli

I had some issues connecting to vCenter after Configuring ADFS as an Identity Provider with DUO Security for MFA.

Some of the errors i received were:

New-OAuthSecurityContext The OAuth authorization grant redirect response did not provide an authorization code.

New-OAuthSecurityContext The OAuth authorization grant redirect response did not provide an authorization code.

New-OAuthSecurityContext Failed to issue OAuth2 access token.

The received resource parameter is invalid. The authorization server can not find a registered resource with the specified identifier

New-VISamlSecurityContext Failed to retrieve SAML bearer token: An error occurred while sending the request.

Failed to issue OAuth2 access token. MSIS9614: The refresh token received in ‘refresh_token’ parameter is invalid. Error code: invalid_grant

MSIS9622: Client authentication failed. Please verify the credential provided for client authentication is valid. Error code: invalid_client

New-OAuthSecurityContext: Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used together or an insufficient number of parameters were provided.

It turned out I was missing Configuration steps and using the wrong values in the login script.

*This was setup on vCenter Appliance version 7.0 Update 2c with ADFS 2019 IDP and  validated using a Windows 10 VM Logged in as the privileged user Running Powershell 5.1.17763.2183   and VMware PowerCLI 12.4.0 build 18627050

If not already done Install and Configure DUO MFA for ADFS  https://duo.com/docs/adfs 

Configure vcenter for ADFS IDP by following the Vmware Guide.  https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-C5E998B2-1148-46DC-990E-A5DB71F93351.html

(in ADFS don’t forget to configure an Access control Policy and assign it on the webapi configuration of the vcenter application group)

Make sure ADFS IDP authentication with DUO is working Before following the next steps to setup Powercli access.

In ADFS Create new Native Application  name powercli-native  Note the Client ID (cccccccc-cccc-cccc-cccc-cccccccccccc)

Add the Redirect URI:  http://localhost:8844/auth

Click OK

Select the Application under WebAPI, click Edit

Select Client Permissions Tab:

Add Powercli-Native Application Created above

Make sure allatclaims and OpenID are selected.

Select Application Under Server Applications, Note Client ID (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)

This was validated using a windows 10 VM Logged in as the privileged user  Running Powershell 5.1.17763.2183   and VMware PowerCLI 12.4.0 build 18627050

The following script was found on this post (I have added comments inline)

https://www.reddit.com/r/vmware/comments/nzt06t/comment/h1zpykq/?utm_source=share&utm_medium=web2x&context=3


#Vcenter Server FQDN
$VCenterServer = 'VCENTER.DOMAIN.COM'
#ADFS Token Endpoint URL  (if you have changed from default then adjust accordingly) 
$TokenEndpointURL = 'https://ADFS.DOMAIN.COM/adfs/oauth2/token/'
#ADFS Auth Endpoint URL  (if you have changed from default then adjust accordingly) 
$AuthEndpointURL = 'https://ADFS.DOMAIN.COM/adfs/oauth2/authorize/'
#Powercli Redirect URL you do not need to change
$RedirectURL = 'http://localhost:8844/auth'
#Enter the Client ID we gather earlier from the  powercli-native  Native Application
$ClientID = 'cccccccc-cccc-cccc-cccc-cccccccccccc'
#Enter the Client ID from the Server Application We Gathered Earlier
$OAuthResource = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'

if ( !$OAuth ) { $OAuth = New-OAuthSecurityContext -TokenEndpointUrl $TokenEndpointURL -AuthorizationEndpointUrl $AuthEndpointURL -RedirectUrl $RedirectURL -ClientId $ClientID -OtherArguments @{ "resource" = "$OAuthResource" } }

#If you are using a self-signed certificate use the -IgnoreSslValidationErrors Switch 
if ( !$Saml ) { $Saml = New-VISamlSecurityContext -VCenterServer $VCenterServer -OAuthSecurityContext $OAuth  -IgnoreSslValidationErrors }

#if this is a standalone remove the -AllLinked Switch
if ( !$Conn ) { $Conn = Connect-VIServer -Server $VCenterServer -SamlSecurityContext $Saml -AllLinked }

If the commands complete successfully you should get a Web Browser popup for ADFS/DUO Auth, and Then you should be logged into vcenter.  All other commands should work as normal.

Hope this helps someone.