Configure RSA for two factor authentication using SAM Account as LDAP attribute
search cancel

Configure RSA for two factor authentication using SAM Account as LDAP attribute

book

Article ID: 315405

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

The steps are consolidated to limit the minimum required steps to successfully configure RSA for vCenter authentication.

Environment

VMware vCenter Server 7.0.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server Appliance 6.7.x

Resolution

Pre-requisites:

  • Validate that the ldap attribute on the RSA is configured with sAMAccountName
  • PSC node is configured as standard agent on the RSA Authentication Manager
  • Validate that the certificates on the RSA node is trusted by the PSC
  • Download the sdconf.rec from the RSA Authentication Manager
  • Create the sdopts.rec file in the below format:
USESERVER=<RSA node IP address>
USESERVER=<RSA node IP address>
USESERVER=<RSA node IP address>
USESERVER=<RSA node IP address>
USESERVER=<RSA node IP address>
 

Commands to configure:


./opt/vmware/bin/sso-config.sh -t <SSO Domain> -set_authn_policy -securIDAuthn true
./opt/vmware/bin/sso-config.sh -set_rsa_config -t <SSO Domain> -logLevel DEBUG
./opt/vmware/bin/sso-config.sh -set_rsa_site -t <SSO Domain> -agentName <PSC FQDN> -sdConfFile /root/sdconf.rec -sdOptsFile /root/sdopts.rec
./opt/vmware/bin/sso-config.sh -set_rsa_userid_attr_map -t <SSO Domain> -idsName <Domain name> -ldapAttr sAMAccountName

Validate the Configuration via the below command:

./opt/vmware/bin/sso-config.sh -t vsphere.local -get_rsa_config

Sample Output:

./opt/vmware/bin/sso-config.sh -t vsphere.local -get_rsa_config
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=256M; support was removed in 8.0
logonGuide:   Passcode for soft token users:<br>Enter only the generated token code from app<br><br>Passcode for hard token users:<br> Enter pin + generated token code
logLevel:   DEBUG
logFileSize:   1
maxLogFileCount:   10
connTimeOut:   60
readTimeOut:   60
encAlgList:   [AES/16, AES/32, AES/24]
idsUserIDAttributeMaps:   {<Domain Name>=sAMAccountName}
Sites [

[siteID:   66918bc1-41ae-4463-9eaf-############
agentName:   <PSC FQDN>
sdConfFile:   Binary value
sdOptsFile:   Binary value
]
  • Once completed, restart all the services on the PSC and vCenter(external deployment model)
  • Log in to the web client of the vCenter and validate configuration

Additional Notes:


In case if the RSA is mis-configured, the below steps needs to be followed to clear it.

  • Connect to the PSC node via JXplorer
  • Navigate to local->Services->Identitymanager->Tenants-><SSO Domain>
  • Delete "RSAAgentConfigurations" under the SSO domain
  • Log in to the PSC via ssh and delete "vsphere.local" under "/etc/vmware-sso/" (the folder name would be same as the SSO domain name)
  • Reboot the PSC and the vCenter server



Additional Information

Ensure there is a valid backup of all the PSC and vCenter server nodes in case of linked mode deployment model