Whilst trying to access my vCenter 7 externally using a forwarding rule on my firewall, the following error message appeared:
[400] An error occurred while sending an authentication request to the vCenter Single Sign-On server – An error occurred when processing metadata during vCenter Single Sign-On setup: the service provider validation failed. Verify that the server URL is correct and is in FQDN format, or that the hostname is a trusted service provider alias.
You may also see a similar message if you attempt to logon to the vCenter using its short name rather than the fully qualified domain name.
- Issue is not observed while using the Fully Qualified Domain Name (FQDN) or IP address resolve reverse to the FQDN of the vCenter Server
Resolution
This is an expected behavior.
VMware vSphere 7.0 enforce FQDN or IP address reverse resolvable to FQDN to allow authentication for Single-Sign on.
VMware vSphere 7.0 enforce FQDN or IP address reverse resolvable to FQDN to allow authentication for Single-Sign on.
Workaround
Process to workaround the issue:
To enable short name access to vCenter, add the desired shortname in webclient.properties file.
Note: Ensure you have a backup of vCenter Server Appliance (vcsa) before making any changes
- Log in to the vCenter Server via ssh/putty session
- Stop the vSphere client service using below command
service-control –stop vsphere-ui
- Navigate to the vsphere-ui location to edit webclient.properties
cd /etc/vmware/vsphere-ui/
- Before editing take a backup of webclient.properties using below command,
- cp webclient.properties /var/tmp/webclient.properties.bak
- Add the desired shortname under the sso.serviceprovider.alias.whitelist
- vi webclient.properties
- Remove the comment (#) for sso.serviceprovider.alias.whitelist=
- Add the shortname (comma separated if there are multiple values)
- Save and exit the VI editor
- Example:
- sso.serviceprovider.alias.whitelist=vcsa70
- Start the vSphere client service.
service-control –start vsphere-ui
