Validate that your Smart Card configuration adheres to the following documented requirements for vCenter 7.0u3i:
To complete smart card authentication, clients must be permitted access to port 3128/TCP on the appropriate vCenter Server. Check your perimeter firewalls to ensure that access has been granted, See Configure vCenter Server Smart Card Authentication to Request Client Certificates
- Configured clienttrustCa.pem
- Create the PEM file with a single certificate:
# cd /usr/lib/vmware-sso/
# openssl x509 -inform PEM -in xyzCompanySmartCardSigningCA.cer > /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem
Add additional certificates with this command, replace .cer with the new certificate name and use '>>' to append to the pem file.
# cd /usr/lib/vmware-sso/
# openssl x509 -inform PEM -in xyzCompanySmartCardSigningCA.cer >> /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem
- Validate the contents of the clienttrustCA.pem file contain the trusted CAs that signed the smart card certificates.
# keytool -printcert -file /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem | grep -i "owner\|sha1\|issuer:\|valid"
- Check sso-config.sh for matching CA names or through vSphere UI Single Sign On, Configuration, Smart Card Configuration, Smart Card Authentication and Trusted CA Certificates
# sso-config.sh -get_authn_policy -t vsphere.local | grep trusted
Note: These must match the Smart Card User Certificate Certificate Chain i.e. Root, Intermediates certificates have matching thumbprints, names, valid dates, etc... On the client computer use 'c:\> certutil -scinfo' to view the Smart Card certificate for the user and the signing CA path for the user certificate.
(Optional) An existing crt bundle can be converted to pem using openssl
# openssl x509 -in cert.crt -out clienttrustCA.pem
Note, vmware-sts service must be restarted after configuring smart card authentication.
# /usr/lib/vmware-vmon/vmon-cli --restart sts
Firefox browser requires additional CORS configuration. See vCenter Server SmartCard Authentication doesn't work in Firefox with error "User Name and password are required"