Azure AAD Single-Sign Token Issues with VMware vCloud Director

Posted on 09/09/2019 · Posted in Microsoft, VMware

If you’re using Azure AAD as your federation SSO identity source, you might end up with the following error in your vcloud-container-debug.log pointing to an old token;

Caused by: org.springframework.security.authentication.CredentialsExpiredException: Authentication statement is too old to be used with value 2019-08-12T08:12:11.298Z

and 

Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message

By default, Azure tokens have a fairly long lifetime, and VMware vCloud Director only accepts tokens with a maximum age of 2 hours in version vCD 9.7. If you use incognito mode to login to vCloud Director, the login will succeed.

Microsoft allows a custom token lifetime policy to be applied to each enterprise application. Therefore to fix this issue, a new policy is required. Policy documentation can be found here.

  1. You need to install Azure AD Preview module for ADPolicy cmdlets
    1. Install-module AzureADPreview
    2. Uninstall-module AzureAD (Incase you already have the “old” module installed”
  2. Connect to Azure Active Directory
    1. Connect-AzureAD
  3. You can view current policies with the following command
    1. Get-AzureADPolicy
  4. Create a new policy for vCloud Director
    1. $policy = New-AzureADPolicy -DisplayName “VMware vCD Policy” -Definition @(‘{“TokenLifetimePolicy”:{“Version”:1,”MaxAgeSingleFactor”:”01:00:00″,”MaxAgeSessionMultiFactor”:”01:00:00″,”MaxAgeSessionSingleFactor”:”01:00:00″,”MaxAgeMultiFactor”:”01:00:00″,”AccessTokenLifetime”:”02:00:00″}}’)
    2. You can view the policy with get-AzureADPolicy -id {INSERT-UUID-HERE}
    3. And you can update the policy with set-AzureADPolicy
  5. $policy = Get-AzureADPolicy -id {INSERT-UUID-HERE}
  6. Get your enterprise application and save it to $app
    1. $app = Get-AzureADApplication | where {$_.DisplayName -like “*Your Enterprise Application Name*”}
  7. Assign your policy to the Enterprise Application
    1. Add-AzureADApplicationPolicy -Id $app.ObjectId -RefObjectId $policy.Id

Once this is done, you should be able to login to your vCloud Director as VMware intended.