Smart Card Logon fails on vCenter when a UPN is not present in User Certificate
search cancel

Smart Card Logon fails on vCenter when a UPN is not present in User Certificate

book

Article ID: 324291

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

Symptoms:
Smart Card Authentication fails on vCenter with 'Unable to validate submitted credential'. The following error is logged in the '/var/log/vmware/sso/websso.log'.
 
[2018-09-24T22:08:06.712Z  tomcat-http--2  557c7e14-117d-4d27-86b6-5cd98787004c ERROR com.vmware.identity.BaseSsoController] Sending error to browser. ERROR: [401, Unable to validate the submitted credential.], message

Environment

VMware vCenter Server Appliance 6.5.x
VMware vSphere 7.0.x
VMware vSphere 6.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server 6.5.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 6.7.x

Cause

vCenter 7.0 and vCenter 6.x do not support certificates that are missing a UPN entry in the Subject Alternative Name. The following error is logged in '/var/log/vmware/sso/websso.log'.

[2018-09-24T22:08:06.506Z  tomcat-http--2  557c7e14-117d-4d27-86b6-5cd98787004c ERROR com.vmware.identity.samlservice.impl.CasIdmAccessor] Caught exception.
com.vmware.identity.idm.IdmClientCertificateParsingException: No UPN entry in Subject Alternative Names extension

Resolution

You can authenticate by using Windows session Authentication (SSPI), by using a smart card (UPN-based Common Access Card or CAC), or by using an RSA SecurID token. See, https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-ACFFCBEC-6C1C-4BF9-9971-04AEE9362AFE.html

Additional Information

vCenter 6.7 Smart Card Authentication fails when sAMAccountName does not match UserPrincipalName

Powered by Wolken Software