When attempting to log into vCenter using a Smart Card, the error message "User name and password are required" appears.
search cancel

When attempting to log into vCenter using a Smart Card, the error message "User name and password are required" appears.

book

Article ID: 377069

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Following the application of Security Technical Implementation Guides (STIGs) to the vCenter Server, users are experiencing login issues when accessing the vSphere web UI.

Here's a breakdown of the issue:

  • When trying to log in using Single Sign-On (SSO) credentials, the error message "User name and password are required" appears.
  • Attempting to log in with Lightweight Directory Access Protocol (LDAP) credentials results in the error: "Unable to login because you do not have permission on any vCenter Server systems connected to this client."

Important observations:

  • All vCenter services are starting and stopping normally.
  • The vCenter machine's SSL and Security Token Service (STS) certificates are valid and functioning correctly.

Environment

VMware vCenter Server 7.0.x

Cause

  • The issue arises when VMware vSphere 7.0 vCenter STIGs are incorrectly applied, specifically when STIG rule SV-256363r885700_rule is applied in a scenario where Smart Card or Active Directory Federation Services (ADFS) authentication is set up and in use.
  • STIG rule SV-256363r885700_rule is designed for environments where Smart Card authentication is not enabled and "Password and Windows session authentication" is not disabled.
  • This rule is not applicable when a federated identity provider (like ADFS) is configured and used for identity sources.
  • In essence, the STIG rule is being applied in a situation where it is not intended to be applied, causing conflicts with existing authentication methods.

Resolution

Verifying and Configuring SSO Authentication in vCenter

To ensure proper SSO configuration in vCenter, follow these steps:

1. Verify SSO Configuration:

  • Use SSH to connect to the vCenter Server Appliance using the root account and password.
  • Run the command: 
    /opt/vmware/bin/sso-config.sh -get_authn_policy -t vsphere.local
  • Expected Output: The output should resemble the following:
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.21.1.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/opt/vmware/lib64/log4j-slf4j-impl-2.21.1.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
Authentication policy on tenant : 'vsphere.local' :
IsPasswordAuthEnabled: true
IsWindowsAuthEnabled: true
IsTLSClientCertAuthnEnabled: false
IsSecurIDAuthnEnabled: false
revocationCheckEnabled: true
useOCSP: false

2. Correcting SSO Configuration (if necessary):

  • If the output of the verification command differs from the expected output, modify the SSO configuration using the command: 
    /opt/vmware/bin/sso-config.sh -set_authn_policy -pwdAuthn true -winAuthn true -certAuthn false -securIDAuthn false -t vsphere.local
  • This command ensures that password authentication, Windows authentication, and SecurID authentication are enabled, while certificate-based authentication is disabled.

3. Restart vCenter Services:

  • Finally, restart all vCenter services by running the command: 
    service-control --stop --all && service-control --start --all