Smartcard authentication in vCenter fails with error message during logon: "User name and password are required"
Article ID: 373735
Updated On:
Products
Issue/Introduction
Symptoms:
- After enabling smartcard authentication in vCenter, logon with Smart card fails with error message "User name and password are required"
- In your browser web console you can see the following error
websso.js:928
POSThttps://VCENTER_FQDN:3128/websso/SAML2/SSOCAC/vsphere.local?SAMLRequest=z....................net::ERR_CERT_AUTHORITY_INVALID
- The following commands do not return the same certificate
#openssl s_client -connect VCENTER_FQDN:3128 2>/dev/null | openssl x509 -noout -text
#openssl s_client -connect VCENTER_FQDN:443 2>/dev/null | openssl x509 -noout -text
- STS configuration file /usr/lib/vmware-sso/vmware-sts/conf/server.xml refers to STS_INTERNAL_SSL_CERT VECS Store.
#grep Keystore /usr/lib/vmware-sso/vmware-sts/conf/server.xml
<Certificate certificateKeyAlias="__MACHINE_CERT" certificateKeystoreFile="STS_INTERNAL_SSL_CERT" certificateKeystoreType="VKS" />
Environment
- vCenter Server 7.x
Cause
This is due to vCenter port 3128 not using certificate from VECS store MACHINE_SSL_CERT
Resolution
Remove STS_INTERNAL_SSL_CERT from VECS via shell Script.
1/ Take a cold snapshot of all VCSA/PSC's if using Enhanced Linked Mode (ELM) or a regular snapshot if Standalone VCSA.
2/ Run the lsdoctor option -l to see if there are stale service registrations in the lookup service. If there are no stale registrations, jump to the next step. Otherwise, run python lsdoctor.py -s and python lsdoctor.py -t respectively and continue with the next step.
3/ Download and run the attached script named Delete_ STS_INTERNAL_SSL_CERT.sh
4/ Provide permission to the script file with the command chmod +rx Delete_ STS_INTERNAL_SSL_CERT.sh
5/ Run script ./Delete_ STS_INTERNAL_SSL_CERT.sh
- Note: another way of finding out if the STS_INTERNAL_SSL_CERT Store exists is by running the command
for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done
- Note: You may receive an error when you try to run the script:
bash: ./Delete_ STS_INTERNAL_SSL_CERT.sh: /bin/bash^M: bad interpreter: No such file or directory
This error is caused by DOS carriage returns added to the script when copying from a Windows-based text editor. To resolve this problem, run the following command and rerun the script:
sed -i -e 's/\r$//' Delete_ STS_INTERNAL_SSL_CERT.sh
Additional Information
Remove STS_INTERNAL_SSL_CERT from VECS via shell Script.
https://knowledge.broadcom.com/external/article/316625/remove-stsinternalsslcert-from-vecs-via.html
Attachments
Feedback
