Azure AAD Single-Sign Token Issues with VMware vCloud Director

By Antti Hurme 09/09/2019 No Comments 2 Min Read

If you’re using Azure AAD as your federation SSO identity source, you might end up with the following error in your vcloud-container-debug.log pointing to an old token;

Caused by: Authentication statement is too old to be used with value 2019-08-12T08:12:11.298Z


Authentication request failed: Error validating SAML message

By default, Azure tokens have a fairly long lifetime, and VMware vCloud Director only accepts tokens with a maximum age of 2 hours in version vCD 9.7. If you use incognito mode to login to vCloud Director, the login will succeed.

Microsoft allows a custom token lifetime policy to be applied to each enterprise application. Therefore to fix this issue, a new policy is required. Policy documentation can be found here.

  1. You need to install Azure AD Preview module for ADPolicy cmdlets
    1. Install-module AzureADPreview
    2. Uninstall-module AzureAD (Incase you already have the “old” module installed”
  2. Connect to Azure Active Directory
    1. Connect-AzureAD
  3. You can view current policies with the following command
    1. Get-AzureADPolicy
  4. Create a new policy for vCloud Director
    1. $policy = New-AzureADPolicy -DisplayName “VMware vCD Policy” -Definition @(‘{“TokenLifetimePolicy”:{“Version”:1,”MaxAgeSingleFactor”:”01:00:00″,”MaxAgeSessionMultiFactor”:”01:00:00″,”MaxAgeSessionSingleFactor”:”01:00:00″,”MaxAgeMultiFactor”:”01:00:00″,”AccessTokenLifetime”:”02:00:00″}}’)
    2. You can view the policy with get-AzureADPolicy -id {INSERT-UUID-HERE}
    3. And you can update the policy with set-AzureADPolicy
  5. $policy = Get-AzureADPolicy -id {INSERT-UUID-HERE}
  6. Get your enterprise application and save it to $app
    1. $app = Get-AzureADApplication | where {$_.DisplayName -like “*Your Enterprise Application Name*”}
  7. Assign your policy to the Enterprise Application
    1. Add-AzureADApplicationPolicy -Id $app.ObjectId -RefObjectId $policy.Id

Once this is done, you should be able to login to your vCloud Director as VMware intended.

Written By

Who am I? | Linkedin

View All Articles
Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.

This site uses Akismet to reduce spam. Learn how your comment data is processed.