Smart Card Logon fails on vCenter when a UPN is not present in User Certificate
search cancel

Smart Card Logon fails on vCenter when a UPN is not present in User Certificate


Article ID: 324291


Updated On:


VMware vCenter Server VMware vSphere ESXi


Smart Card Authentication fails on vCenter with 'Unable to validate submitted credential'. The following error is logged in the '/var/log/vmware/sso/websso.log'.
[2018-09-24T22:08:06.712Z  tomcat-http--2  557c7e14-117d-4d27-86b6-5cd98787004c ERROR com.vmware.identity.BaseSsoController] Sending error to browser. ERROR: [401, Unable to validate the submitted credential.], message


VMware vCenter Server Appliance 6.5.x
VMware vSphere 7.0.x
VMware vSphere 6.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server 6.5.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 6.7.x


vCenter 7.0 and vCenter 6.x do not support certificates that are missing a UPN entry in the Subject Alternative Name. The following error is logged in '/var/log/vmware/sso/websso.log'.

[2018-09-24T22:08:06.506Z  tomcat-http--2  557c7e14-117d-4d27-86b6-5cd98787004c ERROR com.vmware.identity.samlservice.impl.CasIdmAccessor] Caught exception.
com.vmware.identity.idm.IdmClientCertificateParsingException: No UPN entry in Subject Alternative Names extension


You can authenticate by using Windows session Authentication (SSPI), by using a smart card (UPN-based Common Access Card or CAC), or by using an RSA SecurID token. See,

Additional Information

vCenter 6.7 Smart Card Authentication fails when sAMAccountName does not match UserPrincipalName