• vCenter Smart Card Authentication configured for LDAP(s) fails with 'Unable to validate the submitted credential'.
• Correct trusted root and intermediate certificates are in /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem and vCenter SSO Smart Card Trusted CA Certificates.
• Authentication errors in logs:

/var/log/vmware/sso/websso.log

2025-09-23T21:23:37.783Z ERROR websso[60:tomcat-http--22] [CorId=###][com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator] Ignoring exception while iterating providers: Failed in account linking using certificate SAN: 

2025-09-23T21:23:37.791Z ERROR websso[60:tomcat-http--22] [CorId=#####] [com.vmware.identity.samlservice.AuthnRequestState] Caught Exception from authenticate java.lang.IllegalArgumentException: user principalId

2025-09-23T21:23:37.791Z INFO websso[60:tomcat-http--22] [CorId=#####] [com.vmware.identity.samlservice.impl.SAMLAuthnResponse
Sender] Responded with ERROR 401 message Unable to validate the submitted credential.

vCenter 8.x

vCenter Smart Card authentication fails to find the child domain user when the Smart Card certificate Subject Alternative Name uses the parent domain's UPN (User Principal Name) suffix.

Configure vCenter SSO with 2 identity sources of AD over LDAP(s) type.

• Point first Identity Source to example.com.
• Point second Identity Source to child.example.com.
• Use global catalog port (3268 or 3269) for both.
• Set the DNs of user and groups for both to top level of domain, 'DC=example, DC=com'.
• Create a user in Active Directory child domain and set the UPN (User Principal Name) suffix as '[email protected]'.
• Add the user to a Group in the Active Directory child domain.
• Add the Active Directory Group to an SSO group in vCenter.
• Test vCenter Smart Card Authentication.

Considerations when migrating a vCenter Identity Source from Integrated Windows Authentication to AD over LDAP / OpenLDAP

To replicate the IWA capabilities, AD over LDAP needs to be configured in a particular way.