Smart Card Logon fails on vCenter when a UPN is not present in User Certificate
book
Article ID: 324291
calendar_today
Updated On:
Products
VMware vCenter ServerVMware vSphere ESXi
Issue/Introduction
Symptoms: Smart Card Authentication fails on vCenter with 'Unable to validate submitted credential'. The following error is logged in the '/var/log/vmware/sso/websso.log'.
[2018-09-24T22:08:06.712Z tomcat-http--2 557c7e14-117d-4d27-86b6-5cd98787004c ERROR com.vmware.identity.BaseSsoController] Sending error to browser. ERROR: [401, Unable to validate the submitted credential.], message
Environment
VMware vCenter Server Appliance 6.5.x VMware vSphere 7.0.x VMware vSphere 6.x VMware vCenter Server Appliance 6.0.x VMware vCenter Server 6.5.x VMware vCenter Server 6.0.x VMware vCenter Server Appliance 6.7.x VMware vCenter Server 6.7.x
Cause
vCenter 7.0 and vCenter 6.x do not support certificates that are missing a UPN entry in the Subject Alternative Name. The following error is logged in '/var/log/vmware/sso/websso.log'.
[2018-09-24T22:08:06.506Z tomcat-http--2 557c7e14-117d-4d27-86b6-5cd98787004c ERROR com.vmware.identity.samlservice.impl.CasIdmAccessor] Caught exception. com.vmware.identity.idm.IdmClientCertificateParsingException: No UPN entry in Subject Alternative Names extension
Resolution
You can authenticate by using Windows session Authentication (SSPI), by using a smart card (UPN-based Common Access Card or CAC), or by using an RSA SecurID token. See, https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-ACFFCBEC-6C1C-4BF9-9971-04AEE9362AFE.html