Unable to login to vCenter Server with smartcard when CRL verification is enabled
search cancel

Unable to login to vCenter Server with smartcard when CRL verification is enabled

book

Article ID: 379171

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vCenter Server 7.0

Issue/Introduction

  • While trying to login to vCenter Server with smartcard with CRL validation enabled , the following error is thrown:

Unable to validate the submitted credential

  • Disabling CRL validation allows users to login with smartcard

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-E4A31E92-8F0F-49D8-A506-9A4235D6B3E3.html

  • In vCenter Server /var/log/vmware/sso/websso.log file you can see lines similar to :

<timestamp> INFO websso[58:tomcat-http--18] [CorId=CorId_ID] [com.vmware.identity.idm.server.clientcert.IdmCertificatePathValidator] Adding CRL: https://CRL_URL/crl

<timestamp> ERROR websso[58:tomcat-http--18] [CorId=CorId_ID] [com.vmware.identity.idm.server.clientcert.IdmCertificatePathValidator] CRL validation failed. Underlying reason: Unable to validate certificate path. Message: [Could not determine revocation status] Reason: [UNDETERMINED_REVOCATION_STATUS]

 

Environment

vCenter Server 7.x

Cause

  • CRL is outdated and vCenter cannot confirm that the certificate is valid

Resolution

  • Generate a new CRL from your identity source
  • restart sts service 
    #service-control --restart vmware-stsd    
Powered by Wolken Software