vCenter smart card authentication may fail with an error requiring username and password when using SAN to Authenticate
search cancel

vCenter smart card authentication may fail with an error requiring username and password when using SAN to Authenticate

book

Article ID: 315491

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Failure during smart card authentication, which is observed when there is a trailing space that causes the parsing of the certificate to fail in the authentication process.
  • /var/log/vmware/sso/websso.log on vCenter server:
YYYY-MM-DDTHH:MM:SS.938Z ERROR websso[85:tomcat-http--33] [CorId=########-####-####-####-##########4b] [com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.IDMException: Unable to match an account with certficate SAN extension!'
...
Caused by: com.vmware.identity.idm.IdmClientCertificateParsingException: Empty Subject Alternative Names
...
  • /var/log/vmware/sso/vmware-identity-sts.log on vCenter server:
YYYY-MM-DDTHH:MM:SS.938Z INFO sts[84:tomcat-http--33] [CorId=########-####-####-####-##########3c] [com.vmware.identity.idm.server.IdentityManager] Authentication failed for user [username#] in tenant [vsphere.local] in [39] milliseconds with provider [xxxxx.xxx] of type [com.vmware.identity.idm.server.provider.ldap.LdapWithAdMappingsProvider]
2022-05-09T08:30:45.938Z ERROR sts[84:tomcat-http--33] [CorId=########-####-####-####-##########3c] [com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.IDMLoginException: Login failed'
com.vmware.identity.idm.IDMLoginException: Login failed
2022-05-09T08:30:45.942Z INFO sts[84:tomcat-http--33] [CorId=########-####-####-####-##########3c] [com.vmware.identity.sts.InvalidCredentialsException] Censored exception
com.vmware.identity.sts.InvalidCredentialsException: IDM rejected authentication by UPN
  • The UPN of the user appears to match an entry in the 'Subject Alternative Name' of the certificate.
  • Also /var/log/vmware/sso/websso.log in the vCenter server indicates the subject alternative name expected to match ends in space:
YYYY-MM-DDTHH:MM:SS.938Z INFO websso[95:tomcat-http--33] [CorId=########-####-####-####-##########4b] [com.vmware.identity.idm.server.clientcert.IdmCertificatePathValidator] Validating certificate path for [CN...]
...
Unparseable certificate extensions: 1
[1]: ObjectId: 3.3.33.33 Criticality=false
Unparseable SubjectAlternativeName extension due to
java.io.IOException: invalid URI name:urn:uuid:some-uuid-in-thetext 

000000 74 68 69 73 69 73 6a 75 73 74 65 78 61 6d 70 6c  thisisjustexampl
000010 65 68 65 78 73 6f 6d 65 75 70 6e 40 73 6f 6d 65  ehexsomeupn@
000020 65 78 61 6d 70 6c 65 2e 63 6f 6d 2e 2e 2e 2e 2e  example.com.....
000030 2e 2e 2e 2e 2e 2e 2e 73 65 63 6f 6e 64 65 6e 74  .......secondent
000040 72 79 75 72 6e 3a 75 75 69 64 3a 73 6f 6d 65 2d  ryurn:uuid:some-
000050 75 75 69 64 2d 69 6e 2d 74 68 65 74 65 78 74 20  uuid-in-thetext 
...

Environment

vCenter Server 7.0.x
vCenter Server 8.0.x

Cause

This is caused by the trailing space at the end of the subject alternative name entry. The 0x20 character at the end of the SAN entry shown in the hex dump in the log helps confirm this.

Resolution

Regenerate the certificate without trailing spaces at the end of the SAN entries.

Additional Information

Impact/Risks:
The user using the certificate with the trailing spaces will be unable to login using smartcard authentication.

Powered by Wolken Software