Unable to login to vCenter Server with smartcard when CRL verification is enabled

search cancel

Unable to login to vCenter Server with smartcard when CRL verification is enabled

book

Article ID: 379171

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

While trying to login to vCenter Server with smartcard with CRL validation enabled the following error is thrown:

Unable to validate the submitted credential

Disabling CRL validation allows users to login with smart card Smart Card Authentication Login

In vCenter Server /var/log/vmware/sso/websso.log file you can see lines similar to :

<timestamp> INFO websso[58:tomcat-http--18] [CorId=CorId_ID] [com.vmware.identity.idm.server.clientcert.IdmCertificatePathValidator] Adding CRL: https://CRL_URL/crl

<timestamp> ERROR websso[58:tomcat-http--18] [CorId=CorId_ID] [com.vmware.identity.idm.server.clientcert.IdmCertificatePathValidator] CRL validation failed. Underlying reason: Unable to validate certificate path. Message: [Could not determine revocation status] Reason: [UNDETERMINED_REVOCATION_STATUS]

Cause

CRL is outdated or not configured and vCenter cannot confirm that the certificate is valid

Resolution

Generate a new CRL from your identity source
- See Set Revocation Policies for Smart Card Authentication
restart sts service using vCenter cli when logged in as root
#service-control --restart vmware-stsd

Feedback

thumb_up Yes

thumb_down No