"Unable to validate submitted credentials" for some users using Smart Card (signed by the same CAs) to login to vCenter
search cancel

"Unable to validate submitted credentials" for some users using Smart Card (signed by the same CAs) to login to vCenter

book

Article ID: 383877

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Some users can Smart Card Authenticate to vCenter and some users cannot.

Environment

vCenter Server 8.x
vCenter Server 7.x

Cause

Validating the Smart Card User certificates shows that CN Common Subject Name of the CA was reused by a new Certificate Authority. Follow Trusted Certificate Authority validation steps (keytool) in Smart Card Authentication stops working after upgrading to vCenter Server 7.0u3i

keytool output shows that the thumbprints of the Trusted CAs do not match the thumbprint of the users Smart Card issued by the CA re-using CN Common Name Subject Names.

vCenter Server does not support re-use of CN Common Name Subject Names in subsequent root certificates by the same CA and results in unexpected certificate chaining issues. 

Resolution

Re-issue the Smart Card User Certificates from the new Certificate Authority for all the old Smart Card users issued by the old Certificate Authority.

 

Additional Information