vCenter 6.7 Smart Card Authentication fails when sAMAccountName does not match UserPrincipalName
search cancel

vCenter 6.7 Smart Card Authentication fails when sAMAccountName does not match UserPrincipalName

book

Article ID: 324272

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:
  • Unable to login with Smart Card Authentication to vCenter 6.7
    • Fails with "Unable to validate submitted credential, Username and Password are required".


Environment

VMware vSphere 6.7.x

Cause

  • User Active Directory sAMAccountName is not equal to UserPrincipalName
And
  • vCenter Server is configured to use an AD over LDAP Single Sign-On Domain Identity Source

Resolution

This issue is resolved in VMware vCenter 6.7 U3g.


    Workaround:
    • Update the user’s Active Directory account so that sAMAccountName and UserPrincipalName match the Smart Card certificate Subject Alternative Name: Principal Name
    Or
    • Reissue the Smart Card certificate so that Subject Alternative Name: Principal Name matches the Active Directory sAMAccountName and UserPrincipalName
    Or Or
    • Install the vSphere Client Browser Enhanced Authentication Plugin and use Windows SSPI to log in with Smart Card Credentials. Client must be on the same domain or trust the domain where vCenter is joined.
      • Navigate to C:\Program Files (x86)\VMware\Enhanced Authentication Plug-in 6.7
      • Merge WindowsAuthKey_x64.reg
      • Open Registry Editor, navigate to 
        • [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\CIP]
      • and change value to 
        "UseSmartCardPrompt"=dword:00000001
    The Enhanced Authentication Plug-in provides Integrated Windows Authentication and Windows-based smart card functionality. https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.vm_admin.doc/GUID-E640124B-BB55-4D29-AADD-296E01CF88C8.html
     
    Note: For issues installing the Enhanced Authentication Plugin, see https://kb.vmware.com/s/article/2149885


    Powered by Wolken Software