• Users are unable to login to vCenter Server using smartcard-configured Single Sign-On (SSO) authentication after being issued new PIV cards.
• The following error is observed when affected users attempt to log in:

Unable to validate the submitted credential.

 

 

• The /var/log/vmware/sso/websso.log file on the vCenter Server, the following entry appears for failed logins:

• Users with older PIV cards are able to log in successfully, the /var/log/vmware/sso/websso.log shows successful authentication entries similar to the example below:

• The HTTP 401 Unauthorized error indicates that the authentication request sent to the vCenter SSO service lacked valid credentials or that the provided credentials could not be validated.
• The issue occurs because the new PIV cards were issued with updated certificates signed by a new or different Certificate Authority (CA).
• These new CA certificates are not currently trusted by the vCenter Server’s SSO service, which prevents validation of the client certificates during smartcard-based authentication.
• The existing vCenter configuration still contains only the old CA certificates in its trusted client CA store, allowing successful authentication for users with old PIV cards but failing for those with new ones.

• To enable smartcard SSO authentication for users with new PIV cards, the new CA certificates must be added to the vCenter Server’s trusted client CA store.
• Follow the VMware by Broadcom documentation for configuring smartcard authentication and updating the trusted certificate store:
  • Reference: Configure vCenter Server to Request Client Certificates.

Important note : After adding the new certificate the old PIV card users will not be able to authenticate, new PIV cards will need to be issued to them.