vCenter Server SmartCard Authentication doesn't work in Firefox with error "User Name and password are required"
search cancel

vCenter Server SmartCard Authentication doesn't work in Firefox with error "User Name and password are required"

book

Article ID: 313406

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

SmartCard Authentication doesn't work in Firefox, but is working as expected in "Microsoft Edge" and "Chrome".

  • User is connected to vCenter version 7.0U3i or higher and 8.0 or Higher.
  • When user selects "Smart Card Login" and clicks Login the following error is displayed in the browser: "User Name and password are required".
  • The below error is displayed in the browser console:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource (Reason: CORS request did not succeed). Status code: (null).
LoginError.jpg


Environment

VMware vCenter Server 7.0.3
VMware vCenter Server 8.0

Cause

Firefox is very strict in its adherence to the CORS spec as described in Cross-Origin Resource Sharing (CORS).

The vCenter web client needs to send client certificates in the CORS pre-flight request in order to enforce mutual authentication on the redirect port (3128), but Firefox does not allow this by default.

Resolution

To resolve the issue, please follow the below mentioned steps:

Enable the flag to use client certificates in CORS pre-flight requests:

  1. In Firefox, enter "about:config" in the address bar
  2. Search for 'network.cors_preflight.allow_client_cert' and toggle it to 'true'
network.cors_preflight.allow_client_cert.jpg



Add security exceptions for the VC server cert on the default port (443) and the redirect port (3128):

  1. Open Mozilla Firefox.
  2. In address bar, navigate to about:preferences#privacy
  3. Under Certificates, select View Certificates.
  4. Select Servers > Add Exception and enter the URL into Location: https://<vc-fqdn>/ (Please replace  <vc-fqdn> with the FQDN of vCenter Server)
AddException-Port-443.jpg
  1. Click Get Certificate.
  2. Select Confirm Security Exception.
  3. Repeat the steps 4-6 for URL: https://<vc-fqdn>:3128/
AddException-Port-3128.jpg



Alternatively, you may also add a security exception using the steps below:

  1. In Firefox, navigate to https://<vc-fqdn>/
  2. Click Advanced
  3. Click Accept the Risk and Continue
  4. Navigate to https://<vc-fqdn>:3128/
  5. Repeat steps 2 and 3.

Verify the proper security exceptions by going to Settings -> Privacy & Security -> Certificates -> View Certificates... Click Servers and verify that two security exceptions are listed for the vCenter.

Example:
  Server                       Certificate Name        Lifetime
  --------------------------------------------------------------
  <vcfqdn>:443                 <certificatename>        Permanent
  <vcfqdn>:3128                <certificatename>        Permanent

 


Powered by Wolken Software