After configuring Smart Card Authentication, user will see an error "Unable to validate the submitted credential."
In the logs you may see entries similar to:/var/log/vmware/sso/websso.log
YYYY-MM-DDTHH:MM:SS INFO websso[46:tomcat-http--8] [CorId=dda439d6-0965-48eb-9c5b-3d3700a5290d] [com.vmware.identity.idm.server.clientcert.IdmCertificatePathValidator] Revocation check: off
YYYY-MM-DDTHH:MM:SS INFO websso[46:tomcat-http--8] [CorId=dda439d6-0965-48eb-9c5b-3d3700a5290d] [com.vmware.identity.idm.server.clientcert.IdmCertificatePathValidator] Successfully validated client certificate [CN=username@domain]
YYYY-MM-DDTHH:MM:SS ERROR websso[46:tomcat-http--8] [CorId=dda439d6-0965-48eb-9c5b-3d3700a5290d] [com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.IDMException: Unable to match an account with certficate SAN extension!'
com.vmware.identity.idm.IDMException: Unable to match an account with certficate SAN extension!
........
........
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.93]
at java.lang.Thread.run(Thread.java:750) [?:1.8.0_392]
Caused by: com.vmware.identity.idm.IdmClientCertificateParsingException: No UPN entry in Subject Alternative Names extension
at com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator.extractUPN(IdmClientCertificateValidator.java:183) ~[vmware-identity-idm-server-7.0.0.jar:?]
at com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator.findProvidersFromCertPrincipalName(IdmClientCertificateValidator.java:373) ~[vmware-identity-idm-server-7.0.0.jar:?]
VMware vCenter Server Version: 7.x
VMware vCenter Server Version: 8.x
The error occurs when the “Subject Alternative Name” attribute in the imported certificate contains an RFC822 Name (e.g., username@domain). However, RFC822 Name is not a User Principal Name (UPN) and is typically used for email-based semantics. vCenter does not support RFC822 values for Smart Card authentication, leading to authentication failures.
To resolve this issue, re-issue Smartcard Certificates:
Obtain new smartcard certificates that include the “OtherName” field within the “Subject Alternative Name” extension. Set this field to the UPN value for the corresponding user.
Example:
SubjectAlternativeName [
OtherName: user@domain
]
vCenter will use the “OtherName” field in "SubjectAlternativeName" to extract the UPN and match it to the corresponding principal in Active Directory during authentication.
Refer to https://www.ietf.org/rfc/rfc3280.txt for the format and specifics of the "OtherName" field inside "SubjectAlternativeName"