To workaround the issue, update the vmwSTSDefaultTenant name in VMDIR to lower-case by following below steps : Notes:
Take concurrent powered-off snapshots of every vCenter in the SSO domain before following these steps.Below steps needs to be performed on the Source vCenter Server Appliance before attempting the upgrade. Domain name is used as vsphere.local in the commands mentioned below. Please change the values depending on the environment, if the SSO domain name is "vcsso.local", replace "dc=vsphere,dc=local" with the "dc=vcsso,dc=local" and replace "vsphere.local" with "vcsso.local" (these texts are highlighted in Blue color).Change the password field in each example before executing the command.
Confirm Default Tenant has upper-case in VMDIR using ldapsearch command
ldapsearch -x -h localhost -p 389 -D "cn=administrator,cn=users,dc=vsphere,dc=local" -W -s base -b cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local vmwSTSDefaultTenant
Example:root@vcsa1 [ ~ ]# ldapsearch -x -h localhost -p 389 -D "cn=administrator,cn=users,dc=vsphere,dc=local" -w "Password123" -s base -b cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local vmwSTSDefaultTenant…# Tenants, IdentityManager, Services, vsphere.localdn: cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=localvmwSTSDefaultTenant: Vsphere.Local…
Verify the wrong OIDC endpoint with the upper case Tenant using the Curl command
curl -k https://localhost/openidconnect/.well-known/openid-configuration
Example:root@vcsa1 [ ~ ]# curl -k https://localhost/openidconnect/.well-known/openid-configuration{"response_types_supported":["code","id_token","token id_token"],"jwks_uri":"https:\/\/vcsa1.test.com\/openidconnect\/Vsphere.local","end_session_endpoint":"https:\/\/vcsa1.test.com\/openidconnect\/Vsphere.local","subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"issuer":"https:\/\/vcsa1.test.com\/openidconnect\/Vsphere.local","authorization_endpoint":"https:\/\/vcsa1.test.com\/openidconnect\/Vsphere.local","token_endpoint":"https:\/\/vcsa1.test.com\/openidconnect\/Vsphere.local"}root@vcsa1 [ ~ ]#
Change Default Tenant to lower-case using ldapmodify:
ldapmodify -x -h localhost -p 389 -D "cn=administrator,cn=users,dc=vsphere,dc=local" -W |