"Unable to validate the submitted credential" error when logging into the Web Client with Smart Card Authentication
Article ID: 305744
Updated On: 04-14-2025
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
- Logging into the Web Client with Smart Card Authentication fails with the error:
Unable to validate the submitted credential. -
In the /var/log/vmware/sso/vmware-sts-idmd.log file, you see entries similar to:
[IdmCrlCache] LDAP CRL stores is not supported. Ignore this URI: ldap://CN=xxx,CN=xxx,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xxx,DC=xxx?certificateRevocationList?base?objectClass=cRLDistributionPoint[ServerUtils] Exception 'com.vmware.identity.idm.CertRevocationStatusUnknownException: CRL checking could not determine certificate status'
Environment
VMware vCenter Server 6.0.x
VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x
Cause
vCenter Server does not support checking LDAP paths as Certificate Revocation List Distribution Points. In order to be able to check certificate revocation status, the Certificate Authority that issues user certificates must be configured to publish Certificate Revocation Lists to a location available via http:// (ideally on a highly available web server).
Resolution
To resolve this issue, add a path to an accessible web server as a CRL Distribution Point on the issuing Certificate Authority, and publish Certificate Revocation Lists to that path .
Note: This will require all user certificates to be re-issued.
To workaround this issue, disable Certificate Revocation checking by performing the following steps:
1. Log into the vSphere client (https://<<vCenter-IP-or-FQDN>>).
2. Navigate to Administration.
3. Select Configuration under the Single Sign-On section.
4. Select the Smart Card Configuration tab.
5. Select the Certificate Revocation Settings tab at the bottom.
6. Click Edit and select the Disable Revocation Check button.
Feedback
Was this article helpful?
Yes
No
Powered by
