Unable to authenticate to web client using Smartcard/USB token in vCenter Server 6.7
book
Article ID: 328290
calendar_today
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
User cannot use smartcard/token to login to vCenter server 6.7 after upgrading from 6.5/6.0 vCenter Server.
When a user tries to use smartcard/token to login to vCenter server 6.7, authentication fails with error message "Unable to validate submitted credential".
Log file shows similar entries as below,
vsphere.local 9b8225db-0929-4435-8cc0-c1695933c35e INFO com.vmware.identity.SsoController] Server SPN is HTTP/slk55.vmw.org vsphere.local 9b8225db-0929-4435-8cc0-c1695933c35e INFO com.vmware.identity.SsoController] Accessing Tenant vsphere.local, brand name string null INFO com.vmware.identity.SsoController] Welcome to SP-initiated AuthnRequest handler! The client locale is en_US, tenant is vsphere.local INFO com.vmware.identity.SsoController] Request URL is https://slk55.vmw.org/websso/SAML2/SSOCAC/vsphere.local vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authn request proxyCount= null set isProxying=false vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authentication request validation succeeded vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.idm.server.clientcert.IdmCertificatePathValidator] Revocation check: off vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.idm.server.clientcert.IdmCertificatePathValidator] Successfully validated client certificate : CN=SLK.340194304, OU=vmw, C=US vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 WARN com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator] Unexpected DER type, ignoring (org.bouncycastle.asn1.ASN1ObjectIdentifier): 1.3.6.1.4.1.311.20.2.3 vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator] Searching user with certificate SAN. vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 WARN com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator] Unexpected DER type, ignoring (org.bouncycastle.asn1.ASN1ObjectIdentifier): 1.3.6.1.4.1.311.20.2.3 vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.idm.server.provider.PooledLdapConnectionFactory] New connection created in pool PooledLdapConnectionIdentity [tenantName=vsphere.local, username=null, authType=USE_KERBEROS, useGCPort=false, connectionString=ldap://WinAD.vmw.org] vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator] Validating user account altSecurityIdentities attribute. vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 ERROR com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.IDMException: Unable to authenticate with the credential. Failed retrieving altSecurityIdentities attribute for linked account: [email protected] ' com.vmware.identity.idm.IDMException: Unable to authenticate with the credential. Failed retrieving altSecurityIdentities attribute for linked account: [email protected] at com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator.accountValidationWithExplicitX509(IdmClientCertificateValidator.java:468) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator.certificateAccountMapping(IdmClientCertificateValidator.java:875) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:3337) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:9793) [vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.client.CasIdmClient.authenticate(CasIdmClient.java:1306) [vmware-identity-idm-client-7.0.0.jar:?] at com.vmware.identity.samlservice.impl.CasIdmAccessor.authenticate(CasIdmAccessor.java:481) [websso-
.. ... at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_151] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.13] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_151] vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 ERROR com.vmware.identity.samlservice.impl.CasIdmAccessor] Caught exception.com.vmware.identity.idm.IDMException: Unable to authenticate with the credential. Failed retrieving altSecurityIdentities attribute for linked account: [email protected] at com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator.accountValidationWithExplicitX509(IdmClientCertificateValidator.java:468) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator.certificateAccountMapping(IdmClientCertificateValidator.java:875) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:3337) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:9793) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.client.CasIdmClient.authenticate(CasIdmClient.java:1306) ~[vmware-identity-idm-client-7.0.0.jar:?] at com.v....
Resolution
This issue is resolved in vCenter Server 6.7 Update 1, available at VMware Downloads.
Workaround: To workaround this issue, remove and re-add the Identity source. For more information see Add or Edit a vCenter Single Sign-On Identity Source in VMware Document.