Configure vCenter Server Identity Provider Federation for AD FS

[구성 환경]

vCenter

Active Directory

Active Directory Certificate Authority

Active Directory Federation Service

 

[SAML, OAuth, OIDC]

https://gruuuuu.github.io/security/ssofriends/

SAML

SAML은 인증 정보 제공자와, 서비스 제공자 간의 인증 및 인가 데이터를 교환하기 위한 XML기반의 표준 데이터 포맷

SAML은 인증정보를 XML포맷으로 생성하고, 이 XML데이터를 암호화함으로써 제 3자에게 내용을 노출시키지 않고 최종 수신자에게 전달

이 때 생성한 XML을 Assertion, Assertion에는 ID공급자 이름, 발행일 및 만료일 같은 정보가 포함

SAMLRequest, SAMLResponse는 XML형식이라 브라우저를 통해서만 동작 가능 -> 모바일이나 Native Application에는 부적절한 형식

SAML 인증 플로우

 

OAuth

“Authorization“을 위한 개방형 표준 프로토콜

Third-Party App에게 리소스 소유자를 대신하여 리소스 서버에서 제공하는 자원에 대한 접근 권한을 위임하는 방식을 제공

OAuth는 모바일 플랫폼에서의 SAML의 단점을 보완하기 위해 개발되었으며, SAML과 다르게 XML이 아닌 JSON을 기반

SAML은 Authentication/Authorization(인증/인가)를 둘 다 다루는데 반해 OAuth는 Authorization를 목적으로 설계

OAuth의 핵심은 Access Token

토큰을 요청할 때에는 redirect_uri값을 같이 요청하여 발급받을 위치를 지정

OAuth를 사용하려는 ServiceProvider에 AccessToken을 발급받을 위치인 redirect_uri을 등록

OAuth 플로우

 

OIDC

OpenID Connect(이하 OIDC)는 권한 허가 프로토콜인 OAuth 2.0를 이용하여 만들어진 인증 레이어

OIDC에서는 인증을 위해 ID Token이라는 토큰을 추가

ID Token은 JWT(JSON Web Token)형식

OIDC 플로우

 

• SAML : 인증/인가 모두 제공, XML기반, Enterprise용 SSO구축에 주로 사용
• OAuth2.0 : Authorization만 제공, JSON기반, 자격증명을 app과 공유하지 않고도 자원을 사용할 수 있게 해줌
• OpenID Connect : OAuth2.0과 함께 주로 사용, JSON기반, mobile과 native app에서 사용될 수 있는 구조를 가짐

 

[인증 과정]

vCenter Server, AD FS, and Active Directory interact as follows:

1. The user starts on the vCenter Server landing page by entering a user name.
2. If the user name is for a federated domain, vCenter Server redirects the authentication request to AD FS.
3. If needed, AD FS prompts the user to log in with Active Directory credentials.
4. AD FS authenticates the user with Active Directory.
5. AD FS issues a security token with group information from Active Directory.
6. vCenter Server uses the token to log in the user.

 

 

[진단 항목]

RootCA 인증서 확인

root@vcsa01 [ ~ ]# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert list Enter password for administrator@vsphere.local: Number of certificates: 4 #1: CN(id):         5E1519B5D6992DD3BD20B95D95CA42CEC6BA4E04 Subject DN:     CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=vcsa01.contoso.com, OU=VMware Engineering CRL present:    yes #2: CN(id):         33849C8548FDB0FDBFC5ED31B80F7D3096797828 Subject DN:     CN=contoso-ADCA01-CA,DC=contoso,DC=com CRL present:    no

 

OpenID Connect (OIDC) Discovery Endpoint 연결 테스트

root@vcsa01 [ ~ ]# wget http://localhost:1080/external-vecs/http1/adfs01.contoso.com/443/adfs/.well-known/openid-configuration --2023-04-12 04:54:24--  http://localhost:1080/external-vecs/http1/adfs01.contoso.com/443/adfs/.well-known/openid-configuration Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:1080... connected. HTTP request sent, awaiting response... 200 OK Length: 1920 (1.9K) [application/json] Saving to: ‘openid-configuration’   openid-configuration                                                                                       100%[=======================================================================================================================================================================================================================================================================================>]   1.88K  --.-KB/s    in 0s   2023-04-12 04:54:24 (291 MB/s) - ‘openid-configuration’ saved [1920/1920]   root@vcsa01 [ ~ ]# wget --no-check-certificate https://adfs01.contoso.com/adfs/.well-known/openid-configuration --2023-04-12 04:57:28--  https://adfs01.contoso.com/adfs/.well-known/openid-configuration Resolving adfs01.contoso.com... 192.168.1.102 Connecting to adfs01.contoso.com|192.168.1.102|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1920 (1.9K) [application/json] Saving to: ‘openid-configuration.1’   openid-configuration.1                                                        100%[================================================================================================================================================================================================>]   1.88K  --.-KB/s    in 0s   2023-04-12 04:57:28 (384 MB/s) - ‘openid-configuration.1’ saved [1920/1920]   root@vcsa01 [ ~ ]# curl -k --http1.1 -vvv https://adfs01.contoso.com/adfs/.well-known/openid-configuration *   Trying 192.168.1.102:443... * Connected to adfs01.contoso.com (192.168.1.102) port 443 (#0) * ALPN: offers http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN: server accepted http/1.1   * Server certificate: *  subject: CN=adfs01.contoso.com *  start date: Apr 10 15:11:48 2023 GMT *  expire date: Apr  9 15:11:48 2025 GMT *  issuer: DC=com; DC=contoso; CN=contoso-ADCA01-CA *  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.   > GET /adfs/.well-known/openid-configuration HTTP/1.1 > Host: adfs01.contoso.com > User-Agent: curl/7.83.1 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Content-Length: 1920 < Content-Type: application/json;charset=UTF-8 < Server: Microsoft-HTTPAPI/2.0 < Strict-Transport-Security: max-age = 31536000 < X-Frame-Options: DENY < X-Content-Type-Options: nosniff < X-XSS-Protection: 1; mode=block < Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; < Date: Wed, 12 Apr 2023 04:55:46 GMT < {"issuer":"https:\/\/adfs01.contoso.com\/adfs","authorization_endpoint":"https:\/\/adfs01.contoso.com\/adfs\/oauth2\/authorize\/","token_endpoint":"https:\/\/adfs01.contoso.com\/adfs\/oauth2\/token\/","jwks_uri":"https:\/\/adfs01.contoso.com\/adfs\/discovery\/keys","token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic","private_key_jwt","windows_client_authentication"],"response_types_supported":["code","id_token","code id_token","id_token token","code token","code id_token token"],"response_modes_supported":["query","fragment","form_post"],"grant_types_supported":["authorization_code","refresh_token","client_credentials","urn:ietf:params:oauth:grant-type:jwt-bearer","implicit","password","srv_challenge","urn:ietf:params:oauth:grant-type:device_code","device_code"],"subject_types_supported":["pairwise"],"scopes_supported":["logon_cert","openid","aza","user_impersonation","winhello_cert","allatclaims","email","vpn_cert","profile"],"id_token_signing_alg_values_supported":["RS256"],"* Connection #0 to host adfs01.contoso.com left intact token_endpoint_auth_signing_alg_values_supported":["RS256"],"access_token_issuer":"http:\/\/adfs01.contoso.com\/adfs\/services\/trust","claims_supported":["aud","iss","iat","exp","auth_time","nonce","at_hash","c_hash","sub","upn","unique_name","pwd_url","pwd_exp","mfa_auth_time","sid","nbf"],"microsoft_multi_refresh_token":true,"userinfo_endpoint":"https:\/\/adfs01.contoso.com\/adfs\/userinfo","capabilities":[],"end_session_endpoint":"https:\/\/adfs01.contoso.com\/adfs\/oauth2\/logout","as_access_token_token_binding_supported":true,"as_refresh_token_token_binding_supported":true,"resource_access_token_token_binding_supported":true,"op_id_token_token_binding_supported":true,"rp_id_token_token_binding_supported":true,"frontchannel_logout_supported":true,"frontchannel_logout_session_supported":true,"device_authorization_endpoint":"https:\/\/adfs01.contoso.com\/adfs\/oauth2\/devicecode"}

 

[문제 증상]

1. vCenter에서 External Identity Provider로 구성 시, 아래 오류 발생

com.vmware.vcenter.trustmanagement.impl.InvaildArgumentException: Java.io.IOException: Server returned HTTP response code: 526 for URL:  http://localhost:1080/external-vecs/http1/xxx.xxx.xxx/443/adfs/.well-known/openid-configuration

 

2. 구성 완료 후 AD 계정으로 vCenter에 접속 시도 시, 아래 400 오류 발생

 

[분석 내용]

1번 증상

1) LAB에서도 최초 동일한 증상 발생

var/log/vmware/trustmanagement/trustmanagement-svcs.log

2023-03-27T03:24:33.613Z [tomcat-exec-7 [] ERROR com.vmware.vcenter.trustmanagement.impl.TrustUtil opId=] Unable to get metadata from discovery endpoint https://fs.contoso.com/adfs/.well-known/openid-configuration java.io.IOException: Server returned HTTP response code: 526 for URL: http://localhost:1080/external-vecs/http1/fs.contoso.com/443/adfs/.well-known/openid-configuration         at sun.net. www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1902) ~[?:1.8.0_345]         at sun.net. www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1500) ~[?:1.8.0_345]         at co m.vmware.vcenter.trustmanagement.impl.TrustUtil.getOidcProviderMetadata(TrustUtil.java:875) [libservice.jar:?]         at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.getProviderMetadata(VcIdentityProviders.java:1993) [libservice.jar:?]         at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.performDiscovery(VcIdentityProviders.java:1973) [libservice.jar:?]         at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.validateOidcInfo(VcIdentityProviders.java:2483) [libservice.jar:?]         at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.validate(VcIdentityProviders.java:2411) [libservice.jar:?]         at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.createOauth2Provider(VcIdentityProviders.java:1476) [libservice.jar:?]         at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.create(VcIdentityProviders.java:1276) [libservice.jar:?]         at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.create(VcIdentityProviders.java:246) [libservice.jar:?]         at co m.vmware.vcenter.trustmanagement.vapi.impl.VcIdentityProvidersProviderImpl.create(VcIdentityProvidersProviderImpl.java:194) [libservice.jar:?]         at co m.vmware.vcenter.trustmanagement.vapi.impl.VcIdentityProvidersProviderImpl.create(VcIdentityProvidersProviderImpl.java:187) [libservice.jar:?]         at com.vmware.vcenter.identity.ProvidersApiInterface$CreateApiMethod.doInvoke(ProvidersApiInterface.java:86) [libvcenter.jar:?] 2023-03-27T03:24:33.614Z [tomcat-exec-7 [] ERROR com.vmware.vcenter.trustmanagement.impl.VcIdentityProviders opId=] Unable to perform discovery with https://fs.contoso.com/adfs/.well-known/openid-configuration com.vmware.vcenter.trustmanagement.impl.InvalidArgumentException: java.io.IOException: Server returned HTTP response code: 526 for URL: http://localhost:1080/external-vecs/http1/fs.contoso.com/443/adfs/.well-known/openid-configuration         at co m.vmware.vcenter.trustmanagement.impl.TrustUtil.getOidcProviderMetadata(TrustUtil.java:888) ~[libservice.jar:?]         at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.getProviderMetadata(VcIdentityProviders.java:1993) ~[libservice.jar:?]         at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.performDiscovery(VcIdentityProviders.java:1973) [libservice.jar:?]         at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.validateOidcInfo(VcIdentityProviders.java:2483) [libservice.jar:?]         at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.validate(VcIdentityProviders.java:2411) [libservice.jar:?]         at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.createOauth2Provider(VcIdentityProviders.java:1476) [libservice.jar:?]         at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.create(VcIdentityProviders.java:1276) [libservice.jar:?]         at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.create(VcIdentityProviders.java:246) [libservice.jar:?]         at co m.vmware.vcenter.trustmanagement.vapi.impl.VcIdentityProvidersProviderImpl.create(VcIdentityProvidersProviderImpl.java:194) [libservice.jar:?]         at co m.vmware.vcenter.trustmanagement.vapi.impl.VcIdentityProvidersProviderImpl.create(VcIdentityProvidersProviderImpl.java:187) [libservice.jar:?]         at com.vmware.vcenter.identity.ProvidersApiInterface$CreateApiMethod.doInvoke(ProvidersApiInterface.java:86) [libvcenter.jar:?]

 

2) ADFS 서비스 연결 테스트 시 실패

root@vcsa01 [ /var/log/vmware/trustmanagement ]# wget http://localhost:1080/external-vecs/http1/fs.contoso.com/443/adfs/.well-known/openid-configuration --2023-03-27 04:06:09--  http://localhost:1080/external-vecs/http1/fs.contoso.com/443/adfs/.well-known/openid-configuration Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:1080... connected. HTTP request sent, awaiting response... 526 Invalid SSL Certificate 2023-03-27 04:06:09 ERROR 526: Invalid SSL Certificate.   root@vcsa01 [ /var/log/vmware/trustmanagement ]# wget --no-check-certificate https://fs.contoso.com/443/adfs/.well-known/openid-configuration --2023-03-27 04:14:55--  https://fs.contoso.com/443/adfs/.well-known/openid-configuration Resolving fs.contoso.com... 192.168.1.41 Connecting to fs.contoso.com|192.168.1.41|:443... connected. WARNING: cannot verify fs.contoso.com's certificate, issued by ‘CN=fs.contoso.com’:   Unable to locally verify the issuer's authority. HTTP request sent, awaiting response... 404 Not Found 2023-03-27 04:14:55 ERROR 404: Not Found.

 

3) 고객 로그 확인 시 동일

 

var/log/vmware/trustmanagement/trustmanagement-svcs.log

2023-03-21T05:06:50.429Z [tomcat-exec-17  INFO  com.vmware.identity.token.impl.SamlTokenImpl opId=] SAML token for SubjectNameId [value=Administrator@VSPHERE.LOCAL, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from XML   2023-03-21T05:06:50.437Z [tomcat-exec-17  INFO  com.vmware.identity.token.impl.SamlTokenImpl opId=] SAML token for SubjectNameId [value=Administrator@VSPHERE.LOCAL, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from XML   2023-03-21T05:06:50.438Z [tomcat-exec-17  INFO  com.vmware.vcenter.trustmanagement.vapi.impl.setup.AuthzPermissionValidator opId=] User VSPHERE.LOCAL\Administrator invoked API com.vmware.vcenter.identity.providers.create   2023-03-21T05:06:50.438Z [tomcat-exec-17  WARN  com.vmware.vim.vmomi.client.http.impl.HttpProtocolBindingBase opId=] Asynchronous execution requested but no Executor configured. The request will be executed as synchronous one.   2023-03-21T05:06:50.440Z [tomcat-exec-17  INFO  com.vmware.vcenter.trustmanagement.vapi.impl.setup.AuthzPermissionValidator opId=] User VSPHERE.LOCAL\Administrator has required privileges [VcIdentityProviders.Manage] to invoke API com.vmware.vcenter.identity.providers.create   2023-03-21T05:06:50.448Z [tomcat-exec-17  WARN  com.vmware.vcenter.trustmanagement.impl.VcIdentityProviders opId=] com.vmware.sso.interop.ldap.NoSuchObjectLdapException: No such object LDAP error [code: 32]   2023-03-21T05:06:50.448Z [tomcat-exec-17  INFO  com.vmware.vcenter.trustmanagement.impl.VcIdentityProviders opId=] Retrieving metadata from discovery endpoint: https://xxx.xxx.xxx/adfs/.well-known/openid-configuration   2023-03-21T05:06:50.471Z [tomcat-exec-17  ERROR com.vmware.vcenter.trustmanagement.impl.TrustUtil opId=] Unable to get metadata from discovery endpoint https://xxx.xxx.xxx/adfs/.well-known/openid-configuration java.io.IOException: Server returned HTTP response code: 526 for URL: http://localhost:1080/external-vecs/http1/xxx.xxx.xxx/443/adfs/.well-known/openid-configuration         at sun.net. www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1897)          at sun.net. www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1495)          at co m.vmware.vcenter.trustmanagement.impl.TrustUtil.getOidcProviderMetadata(TrustUtil.java:875)          at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.getProviderMetadata(VcIdentityProviders.java:1993)          at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.performDiscovery(VcIdentityProviders.java:1973)          at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.validateOidcInfo(VcIdentityProviders.java:2483)          at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.validate(VcIdentityProviders.java:2411)          at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.createOauth2Provider(VcIdentityProviders.java:1476)          at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.create(VcIdentityProviders.java:1276)          at co m.vmware.vcenter.trustmanagement.impl.VcIdentityProviders.create(VcIdentityProviders.java:246)

 

/var/log/vmware/envoy/envoy-access-117.log

2023-03-21T05:06:57.715Z info envoy[140265144166208] [Originator@6876 sub=Default] 2023-03-21T05:06:50.449Z GET /external-vecs/http1/sxxx.xxx.xxx.xxx/443/adfs/.well-known/openid-configuration HTTP/1.1 526 upstream_reset_before_response_started{connection_failure,TLS_error:_336134278:SSL_routines:ssl3_get_server_certificate:certificate_verify_failed} UF 0 2443 22 - - 127.0.0.1:52316 127.0.0.1:1080 - xxx.xxx.xxx.xxx:443       2023-03-21T05:44:08.615Z info envoy[140265144166208] [Originator@6876 sub=Default] 2023-03-21T05:43:59.812Z GET /external-vecs/http1/xxx.xxx.xxx.xxx/443/adfs/.well-known/openid-configuration HTTP/1.1 526 upstream_reset_before_response_started{connection_failure,TLS_error:_336134278:SSL_routines:ssl3_get_server_certificate:certificate_verify_failed} UF 0 2443 25 - - 127.0.0.1:60802 127.0.0.1:1080 - xxx.xxx.xxx.xxx:443       2023-03-21T05:48:18.710Z info envoy[140265144166208] [Originator@6876 sub=Default] 2023-03-21T05:48:10.650Z GET /external-vecs/http1/xxx.xxx.xxx.xxx/443/adfs/.well-known/openid-configuration HTTP/1.1 526 upstream_reset_before_response_started{connection_failure,TLS_error:_336134278:SSL_routines:ssl3_get_server_certificate:certificate_verify_failed} UF 0 2443 24 - - 127.0.0.1:33510 127.0.0.1:1080 - xxx.xxx.xxx.xxx:443       2023-03-21T05:48:18.711Z info envoy[140265144166208] [Originator@6876 sub=Default] 2023-03-21T05:48:14.994Z GET /external-vecs/http1/xxx.xxx.xxx.xxx/443/adfs/.well-known/openid-configuration HTTP/1.1 526 upstream_reset_before_response_started{connection_failure,TLS_error:_336134278:SSL_routines:ssl3_get_server_certificate:certificate_verify_failed} UF 0 2443 25 - - 127.0.0.1:33536 127.0.0.1:1080 - xxx.xxx.xxx.xxx:443       2023-03-21T05:48:38.719Z info envoy[140265144166208] [Originator@6876 sub=Default] 2023-03-21T05:48:30.889Z GET /external-vecs/http1/xxx.xxx.xxx.xxx/443/adfs/.well-known/openid-configuration HTTP/1.1 526 upstream_reset_before_response_started{connection_failure,TLS_error:_336134278:SSL_routines:ssl3_get_server_certificate:certificate_verify_failed} UF 0 2443 24 - - 127.0.0.1:33624 127.0.0.1:1080 - xxx.xxx.xxx.xxx:443       2023-03-21T05:51:28.787Z info envoy[140265144166208] [Originator@6876 sub=Default] 2023-03-21T05:51:28.328Z GET /external-vecs/http1/xxx.xxx.xxx.xxx/443/adfs/.well-known/openid-configuration HTTP/1.1 526 upstream_reset_before_response_started{connection_failure,TLS_error:_336134278:SSL_routines:ssl3_get_server_certificate:certificate_verify_failed} UF 0 2443 25 - - 127.0.0.1:34244 127.0.0.1:1080 - xxx.xxx.xxx.xxx:443

 

4) 올바른 Root CA 인증서 확인하여 해당 인증서를 vCenter에 추가 후 ADFS를 External Identity Provider로 구성 성공

 

2번 증상

1) 로그 분석

OAuth2 Access Token 교환 과정에서 오류가 나는 것을 확인

오류 메시지를 보면 "Subject is missing"

즉, OAuth2 Access Token 교환 과정에서 전달 받아야 하는 과정이 누락된 것으로 추정

/var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log

[2023-04-12T05:35:34.568Z] [INFO ] http-nio-5090-exec-35        70003349 100277 ###### com.vmware.skyscraper.oauth2.common.Oauth2Helper login redirect.  Discovery page https://stsds.secsso.net/adfs/oauth2/authorize/?client_id=fe77258a-8977-430c-b993-44f84c5268ee&redirect_uri=https://xxx.xxx.xxx   /ui/login/oauth2/authcode&state=925bfa10-d634-4cb7-9a64-a6bf90d1e288&resource=fe77258a-8977-430c-b993-44f84c5268ee&scope=openid&response_type=code, state 925bfa10-d634-4cb7-9a64-a6bf90d1e288   [2023-04-12T05:35:34.707Z] [INFO ] http-nio-5090-exec-46        70003350 100277 ###### c.v.vsphere.client.security.oauth2.Oauth2CodeResponseHandler      Received an Oauth2 Authorization code. Processing it now for Auth Token and exchange… [2023-04-12T05:35:34.707Z] [INFO ] http-nio-5090-exec-46        70003350 100277 ###### c.v.vsphere.client.security.oauth2.Oauth2CodeResponseHandler      Invoking Oauth2Helper with the AuthTokenRequestParams.. [2023-04-12T05:35:34.707Z] [INFO ] http-nio-5090-exec-46        70003350 100277 ###### co m.vmware.skyscraper.oauth2.common.Oauth2HelperOauth callback, code AAAAAAAAAAAAAAAAAAAAAA.EPcmvRc72wjOFjw6AtY3ZABRINE.etqS3_iQcTsA1VICoQiMQ27R_wdPaIVPqL6L_wjVt1jgTr9AWfqPXSPJr3jO9hWoVKEJhrgusmKWH76Z_vUB2YGkifG1Sc55-IGz_eAFqa2Is1NVU2sT8babI7ok5xAG7rFnk3s3Vd1Gt5PxlWUz9QLT9ToCpSvP099dkRqSJa4feq5wIWrtvRi2HSkPoRTEHCSpftEPCJzn01z9moYfiqwWJNJ65awmjrdVXeT0Pu0GjHZKXZj6bq7oqLXu4FyDazPsRUI0fQyuA-GqqohCCTHzC5zlTagoS9lHcXKy0z_qrbOH0BR_hblAZVpA-cfqsuVaGSOS417NWaQmEdLPoA state 925bfa10-d634-4cb7-9a64-a6bf90d1e288 [2023-04-12T05:35:34.791Z] [ERROR] http-nio-5090-exec-46        70003350 100277 ###### c.v.vsphere.client.security.oauth2.Oauth2CodeResponseHandler      Oauth2 Access Token assertion failed com.vmware.vcenter.tokenservice.InvalidGrant: InvalidGrant (com.vmware.vcenter.tokenservice.invalid_grant) => { ...     defaultMessage = Subject is missing.,

 

/var/log/vmware/vsphere-ui/logs/access/localhost_access_log.txt

127.0.0.1 xxx.xxx.xxx.xxx - - [12/Apr/2023:05:08:42 +0000] "GET /ui/login/oauth2/authcode?code=AAAAAAAAAAAAAAAAAAAAAA.zxXj-xM72wjGFfk1Vroc13KUyRo.VdPABeGE2YUMWdRld5vU-BCnTgqcrSLtYF3IbwT07Y1_0RWfsGiKgdHjKRoOHJvjqNxiiY8VIs2X3Kg5R58ncB2vDyss3yD7FynRzyM_DeegN_v9_nuSHqwBdVLEPGW5UkVlz7XmfN9yeuBRdmOeGOKBsmCAszwps4QXz9Kx0NyVReHKQ8wUu_edfy6WlEUF7qwd47mjmJmhGjizUYYOqoum3u0E84KowRA8Hn-fOjN_wWpQZlwpLUAhD6lpED2q2fNC6k6AyFQiNlxwqK2KR38bHHfuM8pLTPB0LUWn3W_eWtua5DV0HL10TwOjiwN2bVlKkUrMvQGRXydIvYmW-w&state=06c29220-d9bf-4381-8694-6031c04a311c HTTP/1.1" 400 1196 200015 70003149 http-nio-5090-exec-45 128       127.0.0.1 xxx.xxx.xxx.xxx - - [12/Apr/2023:05:35:34 +0000] "GET /ui/login/oauth2/authcode?code=AAAAAAAAAAAAAAAAAAAAAA.EPcmvRc72wjOFjw6AtY3ZABRINE.etqS3_iQcTsA1VICoQiMQ27R_wdPaIVPqL6L_wjVt1jgTr9AWfqPXSPJr3jO9hWoVKEJhrgusmKWH76Z_vUB2YGkifG1Sc55-IGz_eAFqa2Is1NVU2sT8babI7ok5xAG7rFnk3s3Vd1Gt5PxlWUz9QLT9ToCpSvP099dkRqSJa4feq5wIWrtvRi2HSkPoRTEHCSpftEPCJzn01z9moYfiqwWJNJ65awmjrdVXeT0Pu0GjHZKXZj6bq7oqLXu4FyDazPsRUI0fQyuA-GqqohCCTHzC5zlTagoS9lHcXKy0z_qrbOH0BR_hblAZVpA-cfqsuVaGSOS417NWaQmEdLPoA&state=925bfa10-d634-4cb7-9a64-a6bf90d1e288 HTTP/1.1" 400 1196 200016 70003350 http-nio-5090-exec-46 85

 

2) LAB 환경에서 ADFS 서버에서 신규 생성했던 Application Group 내의 Issuance Transform Rules 중 Outgoing Claim Type으로 UPN을 사용한 Rule이 누락되는 경우 동일한 로그 기록되는 것을 확인

[2023-04-13T10:46:46.152Z] [ERROR] http-nio-5090-exec-101       70010852 100332 ###### c.v.vsphere.client.security.oauth2.Oauth2CodeResponseHandler      Oauth2 Access Token assertion failed com.vmware.vcenter.tokenservice.InvalidGrant: InvalidGrant (com.vmware.vcenter.tokenservice.invalid_grant) => { ...     defaultMessage = Subject is missing., 2023-04-13T16:23:59.553Z ERROR tokenservice[86:tomcat-http--50] [CorId= OpId=] [com.vmware.vcenter.tokenservice.vapi.TokenExchangeProviderImpl] Exchange failed due to invalid grant:com.vmware.vcenter.tokenservice.exceptions.InvalidGrant: Subject is missing.   [2023-04-13T16:34:58.547Z] [DEBUG] VapiAsyncCall-104             org.apache.http.wire                                              http-outgoing-66 << "{"jsonrpc":"2.0","id":"06361e49-337c-4a2b-867f-557cd75c2b97","result":{"error":{"ERROR":{"com.vmware.vcenter.tokenservice.invalid_grant":{"data":{"OPTIONAL":null},"messages":[{"STRUCTURE":{"com.vmware.vapi.std.localizable_message":{"args":[],"default_message":"Subject is missing.","localized":{"OPTIONAL":null},"id":"com.vmware.vcenter.tokenservice.exceptions.InvalidGrant","params":{"OPTIONAL":null}}}}]}}}}}[\r][\n]"

 

 

[참고 자료]

vCenter Server Identity Provider Federation Configuration Process Flow

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-7A198596-9149-4CB8-98E8-2FDB9EE61AE3.html

 

How vCenter Single Sign-On Protects Your Environment

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-575991A7-7FF3-4F79-B962-CC5540A9CE18.html

How to enable OpenID Connect in ADFS 2016 for vCenter Server (78029)

https://kb.vmware.com/s/article/78029