Smart Card Authentication stops working after upgrading to vCenter Server 7.0u3i
search cancel

Smart Card Authentication stops working after upgrading to vCenter Server 7.0u3i

book

Article ID: 324285

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
After upgrading to vCenter Server 7.0u3i, attempts to login to vCenter Server using smart card fail with “Username and password required” error message.

Environment

VMware vCenter Server 7.0.3

Cause

Smart Card Authentication may fail for the following reasons:
​​​
  • Port 3128 is blocked: Network firewall policies are preventing client browsers from communicating with the vCenter server over port 3128.
  • Port 3128 is not listening: https://github.com/vmware/dod-compliance-and-automation/issues/135
    • The /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties template file needs to include "bio-ssl-clientauth.https.port=3128".
  • The /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem file does not exist OR is not populated with trusted smart card signing CA certificates.
  • In Firefox browsers, the default CORS policy may be preventing the browser from redirecting to port 3128.

Resolution

Validate that your Smart Card configuration adheres to the following documented requirements for vCenter 7.0u3i:

  • Open port 3128

To complete smart card authentication, clients must be permitted access to port 3128/TCP on the appropriate vCenter Server. Check your perimeter firewalls to ensure that access has been granted,  See Configure vCenter Server Smart Card Authentication to Request Client Certificates

  • Configured clienttrustCa.pem
Create a certificate store on the vCenter Server using the exact path and PEM name, /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem , See  Configure vCenter Server Smart Card Authentication to Request Client Certificates
 
  • Create the PEM file with a single certificate:
# cd /usr/lib/vmware-sso/
# openssl x509 -inform PEM -in xyzCompanySmartCardSigningCA.cer > /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem

Add additional certificates with this command, replace .cer with the new certificate name and use '>>' to append to the pem file.

# cd /usr/lib/vmware-sso/
# openssl x509 -inform PEM -in xyzCompanySmartCardSigningCA.cer >> /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem
  • Validate the contents of the clienttrustCA.pem file contain the trusted CAs that signed the smart card certificates.
# keytool -printcert -file /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem | grep -i "owner\|sha1\|issuer:\|valid"
  • Check sso-config.sh for matching CA names or through vSphere UI Single Sign On, Configuration, Smart Card Configuration, Smart Card Authentication and Trusted CA Certificates
# sso-config.sh -get_authn_policy -t vsphere.local | grep trusted

Note: These must match the Smart Card User Certificate Certificate Chain i.e. Root, Intermediates certificates have matching thumbprints, names, valid dates, etc... On the client computer use 'c:\> certutil -scinfo'  to view the Smart Card certificate for the user and the signing CA path for the user certificate.

(Optional) An existing crt bundle can be converted to pem using openssl
 
# openssl x509 -in cert.crt -out clienttrustCA.pem

Note, vmware-sts service must be restarted after configuring smart card authentication.

/usr/lib/vmware-vmon/vmon-cli --restart sts


Firefox browser requires additional CORS configuration. See vCenter Server SmartCard Authentication doesn't work in Firefox with error "User Name and password are required"

Additional Information