Smart Card Authentication Login Error: "Unable to validate the submitted credential."
search cancel

Smart Card Authentication Login Error: "Unable to validate the submitted credential."

book

Article ID: 372242

calendar_today

Updated On: 05-29-2025

Products

VMware vCenter Server

Issue/Introduction

After configuring Smart Card Authentication, user will see an error "Unable to validate the submitted credential."





In the logs you may see entries similar to:

/var/log/vmware/sso/websso.log

YYYY-MM-DDTHH:MM:SS INFO websso[46:tomcat-http--8] [CorId=dda439d6-0965-48eb-9c5b-3d3700a5290d] [com.vmware.identity.idm.server.clientcert.IdmCertificatePathValidator] Revocation check: off
YYYY-MM-DDTHH:MM:SS INFO websso[46:tomcat-http--8] [CorId=dda439d6-0965-48eb-9c5b-3d3700a5290d] [com.vmware.identity.idm.server.clientcert.IdmCertificatePathValidator] Successfully validated client certificate [CN=username@domain]
YYYY-MM-DDTHH:MM:SS ERROR websso[46:tomcat-http--8] [CorId=dda439d6-0965-48eb-9c5b-3d3700a5290d] [com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.IDMException: Unable to match an account with certficate SAN extension!'
com.vmware.identity.idm.IDMException: Unable to match an account with certficate SAN extension!
........

........

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.93]
        at java.lang.Thread.run(Thread.java:750) [?:1.8.0_392]
Caused by: com.vmware.identity.idm.IdmClientCertificateParsingException: No UPN entry in Subject Alternative Names extension
        at com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator.extractUPN(IdmClientCertificateValidator.java:183) ~[vmware-identity-idm-server-7.0.0.jar:?]
        at com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator.findProvidersFromCertPrincipalName(IdmClientCertificateValidator.java:373) ~[vmware-identity-idm-server-7.0.0.jar:?]

 



Environment

VMware vCenter Server Version: 7.x
VMware vCenter Server Version: 8.x

Cause

The error occurs when the “Subject Alternative Name” attribute in the imported certificate contains an RFC822 Name (e.g., username@domain). However, RFC822 Name is not a User Principal Name (UPN) and is typically used for email-based semantics. vCenter does not support RFC822 values for Smart Card authentication, leading to authentication failures.

Resolution

To resolve this issue, re-issue Smartcard Certificates:

Obtain new smartcard certificates that include the “OtherName” field within the “Subject Alternative Name” extension. Set this field to the UPN value for the corresponding user.

Example:

SubjectAlternativeName [
OtherName: user@domain
]

vCenter will use the “OtherName” field in "SubjectAlternativeName" to extract the UPN and match it to the corresponding principal in Active Directory during authentication.

Additional Information

Refer to https://www.ietf.org/rfc/rfc3280.txt for the format and specifics of the "OtherName" field inside "SubjectAlternativeName"