vCenter Server smartcard authentication fails after transition to IPv6-only network
search cancel

vCenter Server smartcard authentication fails after transition to IPv6-only network

book

Article ID: 432499

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

vCenter Server fails to validate smartcard logins specifically after the appliance is transitioned from a dual-stack to an IPv6-only network configuration.

Symptoms:

  • Users are unable to authenticate using smartcards.

  • The error is found in /var/log/vmware/sso/websso.log: [Unable to determine revocation status due to network error]


  • Testing the connection from the vCenter to CRL location by using the command curl -6 -I crl_fqdn are successful 
  • Using the command tcpdump -n ip6 host ipv6_address on vCenter will not show any traffic from the vCenter server to the CRL server when attempting smart card authentication.

Environment

 

  • Product: vCenter Server 8.x

  • Network: IPv6-only

  • Feature: Smartcard / Certificate-based Authentication

 

Cause

Internal authentication services fail to route the Certificate Revocation List (CRL) check. While the OS-level routing is healthy, the application's internal DNS resolution prioritizes the CA's legacy IPv4 (A) record. In an IPv6-only environment, the appliance cannot route to this IPv4 address, causing the revocation check to fail.

[!NOTE] Verification: You can confirm the issue is caused by the CRL validation failure by temporarily disabling the CRL check. If logins succeed while the check is disabled, the routing conflict is confirmed.

Resolution

To resolve this issue, you must bypass the DNS lookup that is fetching the unreachable IPv4 address by hardcoding the IPv6 path.

Step 1: Verify the cause by temporarily disabling CRL (vCenter 8)

  1. Log in to the vSphere Client with administrator privileges.

  2. Navigate to Administration > Single Sign-On > Configuration.

  3. Click the Smart Card Authentication tab.

  4. Click Edit.

  5. Uncheck the Enable Certificate Revocation List (CRL) check box.

  6. Click Save.

  7. Attempt a smartcard login. If successful, proceed to Step 2 to implement the permanent fix.

Step 2: Apply the permanent IPv6 resolution

  1. Return to the Smart Card Authentication tab under Single Sign-On > Configuration.

  2. Ensure the Enable Certificate Revocation List (CRL) check box is checked.

  3. In the CRL address field, enter the CA's IPv6 address directly using the bracketed format:

    • Format: http://[IPv6-Address]/path.crl

  4. Click Save.

Powered by Wolken Software