Unable to authenticate to web client using Smartcard/USB token in vCenter Server 6.7
search cancel

Unable to authenticate to web client using Smartcard/USB token in vCenter Server 6.7

book

Article ID: 328290

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • User cannot use smartcard/token to login to vCenter server 6.7 after upgrading from 6.5/6.0 vCenter Server.
  • When a user tries to use smartcard/token to login to vCenter server 6.7, authentication fails with error message "Unable to validate submitted credential".
  • Log file shows similar entries as below,
vsphere.local 9b8225db-0929-4435-8cc0-c1695933c35e INFO com.vmware.identity.SsoController] Server SPN is HTTP/slk55.vmw.org
vsphere.local 9b8225db-0929-4435-8cc0-c1695933c35e INFO com.vmware.identity.SsoController] Accessing Tenant vsphere.local, brand name string null
INFO com.vmware.identity.SsoController] Welcome to SP-initiated AuthnRequest handler! The client locale is en_US, tenant is vsphere.local
INFO com.vmware.identity.SsoController] Request URL is https://slk55.vmw.org/websso/SAML2/SSOCAC/vsphere.local
vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authn request proxyCount= null set isProxying=false
vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authentication request validation succeeded
vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.idm.server.clientcert.IdmCertificatePathValidator] Revocation check: off
vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.idm.server.clientcert.IdmCertificatePathValidator] Successfully validated client certificate : CN=SLK.340194304, OU=vmw, C=US
vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 WARN com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator] Unexpected DER type, ignoring (org.bouncycastle.asn1.ASN1ObjectIdentifier): 1.3.6.1.4.1.311.20.2.3
vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator] Searching user with certificate SAN.
vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 WARN com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator] Unexpected DER type, ignoring (org.bouncycastle.asn1.ASN1ObjectIdentifier): 1.3.6.1.4.1.311.20.2.3
vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.idm.server.provider.PooledLdapConnectionFactory] New connection created in pool PooledLdapConnectionIdentity [tenantName=vsphere.local, username=null, authType=USE_KERBEROS, useGCPort=false, connectionString=ldap://WinAD.vmw.org]
vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator] Validating user account altSecurityIdentities attribute.
vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 ERROR com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.IDMException: Unable to authenticate with the credential. Failed retrieving altSecurityIdentities attribute for linked account: [email protected] '
com.vmware.identity.idm.IDMException: Unable to authenticate with the credential. Failed retrieving altSecurityIdentities attribute for linked account: [email protected] at com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator.accountValidationWithExplicitX509(IdmClientCertificateValidator.java:468) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator.certificateAccountMapping(IdmClientCertificateValidator.java:875) ~[vmware-identity-idm-server-7.0.0.jar:?]
 at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:3337) ~[vmware-identity-idm-server-7.0.0.jar:?]
 at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:9793) [vmware-identity-idm-server-7.0.0.jar:?]
 at com.vmware.identity.idm.client.CasIdmClient.authenticate(CasIdmClient.java:1306) [vmware-identity-idm-client-7.0.0.jar:?]
 at com.vmware.identity.samlservice.impl.CasIdmAccessor.authenticate(CasIdmAccessor.java:481) [websso-

..
...
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_151]
 at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.13]
 at java.lang.Thread.run(Thread.java:748) [?:1.8.0_151]
vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 ERROR com.vmware.identity.samlservice.impl.CasIdmAccessor] Caught exception.com.vmware.identity.idm.IDMException: Unable to authenticate with the credential. Failed retrieving altSecurityIdentities attribute for linked account: [email protected] at com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator.accountValidationWithExplicitX509(IdmClientCertificateValidator.java:468) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator.certificateAccountMapping(IdmClientCertificateValidator.java:875) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:3337) ~[vmware-identity-idm-server-7.0.0.jar:?]
 at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:9793) ~[vmware-identity-idm-server-7.0.0.jar:?]
 at com.vmware.identity.idm.client.CasIdmClient.authenticate(CasIdmClient.java:1306) ~[vmware-identity-idm-client-7.0.0.jar:?] at com.v....


Resolution

This issue is resolved in vCenter Server 6.7 Update 1, available at VMware Downloads.

Workaround:
To workaround this issue,​ remove and re-add the Identity source. For more information see Add or Edit a vCenter Single Sign-On Identity Source in VMware Document.