vCenter 6.7 Smart Card Authentication fails when sAMAccountName does not match UserPrincipalName
Article ID: 324272
Updated On:
Products
VMware vSphere ESXi
VMware vCenter Server
Issue/Introduction
- Unable to login with Smart Card Authentication to vCenter 6.7
- Fails with "Unable to validate submitted credential, Username and Password are required".
Environment
VMware vCenter server 6.7.x
Cause
- User Active Directory sAMAccountName is not equal to UserPrincipalName.
- vCenter Server is configured to use an AD over LDAP Single Sign-On Domain Identity Source.
Resolution
This issue is resolved in VMware vCenter 6.7 U3g.
Workaround:
- Update the user’s Active Directory account so that sAMAccountName and UserPrincipalName match the Smart Card certificate Subject Alternative Name: Principal Name
Or
- Reissue the Smart Card certificate so that Subject Alternative Name: Principal Name matches the Active Directory sAMAccountName and UserPrincipalName
Or
- Reconfigure the vSphere Single Sign-On Windows Domain Identity Source to use Integrated Windows Authentication instead of AD over LDAP. For more information see, "Shown as Active Directory (Integrated Windows Authentication) in the vSphere Client. vCenter Single Sign-On allows you to specify a single Active Directory domain as an identity source.
Or
- Install the vSphere Client Browser Enhanced Authentication Plugin and use Windows SSPI to log in with Smart Card Credentials. Client must be on the same domain or trust the domain where vCenter is joined.
- Navigate to
C:\Program Files (x86)\VMware\Enhanced Authentication Plug-in 6.7 - Merge
WindowsAuthKey_x64.reg - Open Registry Editor, navigate to
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\CIP]
- and change value to
"UseSmartCardPrompt"=dword:00000001
- Navigate to
Feedback
Yes
No
Powered by
