Recently, we added some extra values to the Certificate Subject Alternative Name (SAN) for diversification in accessibility to the vCenter Server Appliance (vCSA). However, when trying to reach the vCSA by the new SAN value, we received an error message: “[400] An error occurred while sending an authentication request to the vCenter Single Sign-On server – An error occurred when processing metadata during vCenter Single Sign-On setup: the service provider validation failed. Verify that the server URL is correct and is in FQDN format, or that the hostname is a trusted service provider alias.”

To “solve” this issue, we can apply a workaround provided by VMware. The steps are as follows:

Step 1: Log into your vCSA through SSH and stop the vSphere UI

First, log in to your vCSA using SSH. You can use the following command to do so:

ssh [vCSA_IP]

Once you have logged in, run the following command to stop the vSphere UI:

sudo /etc/init.d/vsphere-ui stop

Step 2: Find the webclient.properties file and edit it

Next, find the webclient.properties file in the /usr/local/vmware/appliance/conf directory. You can use the following command to do so:

sudo find /usr/local/vmware/appliance/conf -name webclient.properties

Once you have found the file, edit it by removing the comment (#) in front of the line “sso.serviceprovider.alias.whitelist=” and adding the desired SAN values. Use comma separated if you want to add multiple names. For instance:

# sso.serviceprovider.alias.whitelist=vcenter,vsphere

sso.serviceprovider.alias.whitelist=vcenter,vsphere,new-san-value

Step 3: Save the file and start the vSphere UI

After editing the file, hit escape followed by :wq! to save the file. This will overwrite the previous version of the webclient.properties file with your changes.

Finally, start the vSphere UI by running the following command:

sudo /etc/init.d/vsphere-ui start

Step 4: Test the login process (optional)

If you still run into problems logging in after making the above adjustments, it could help to clear your browsing data (history, cookies, cache etc). You can do this by using a privacy-focused web browser such as Brave or DuckDuckGo.

That’s it! With these steps, you should now be able to log in to your vCSA with the new SAN value. Note that the login process may take a while to finish after making the adjustments. If you still encounter issues, clearing your browsing data as mentioned above may help.

It’s important to note that this workaround is only temporary and should be used with caution. The permanent solution is to update the vCenter Server Appliance to the latest version, which includes a fix for this issue. VMware has acknowledged this issue and has provided a fix in the latest version of the vCenter Server Appliance. Therefore, it is recommended to update your vCSA as soon as possible to avoid any further issues.