Smart Card Authentication Fails with "Unable to validate the submitted credential" via LDAPS
search cancel

Smart Card Authentication Fails with "Unable to validate the submitted credential" via LDAPS

book

Article ID: 439267

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

After upgrading from vCenter Server 7.x to vCenter Server 8.0.x, PIV/Smart Card authentication fails. The vSphere Client UI displays the following error: "Unable to validate the submitted credential". Investigation of the Single Sign-On (SSO) logs (/var/log/vmware/sso/websso.log) reveals connection failures to the Active Directory domain controller, explicitly logging cannot establish connection with URI.

Environment

VMware vCenter Server 8.0.3.00400 (Update 3)
Active Directory over LDAPS (Secure LDAP)

Cause

The vCenter Single Sign-On (SSO) service explicitly caches the SSL certificate from the LDAPS Identity Provider to establish a secure trust anchor. During a major version upgrade, or if the Domain Controller machine certificate is renewed on the backend, a trust mismatch occurs between the vCenter 8.x appliance and the Active Directory LDAPS endpoint (Broadcom KB 374200). The strict TLS and certificate validation engines introduced in the vCenter 8.x architecture reject the secure LDAP connection, preventing the websso service from performing Smart Card UPN lookups.

Resolution

  1. Extract the active LDAPS SSL certificate chain from the target Domain Controller using OpenSSL via the vCenter SSH shell: openssl s_client -showcerts -connect <domain_controller_fqdn>:636 </dev/null 2>/dev/null|openssl x509 -outform PEM (Note: Alternatively, export the Server Authentication certificate from the Domain Controller's local computer Personal certificate store as a Base-64 encoded X.509 CER).

  2. Copy the output, starting strictly with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----, and save it into a plain text file named dc_cert.pem.

  3. Log in to the vSphere Client using the local SSO administrator account ([email protected]).

  4. Navigate to Administration > Single Sign On > Configuration > Identity Provider > Identity Sources.

  5. Document the exact configurations of the current LDAPS Identity Source (Primary server URL, Base DN for users, Base DN for groups, Username).

  6. Highlight the existing Identity Source and click Remove.

  7. Click Add, select Active Directory over LDAP, and input the identical configuration parameters.

  8. Locate the Certificates (for LDAPS) section, click Browse, and upload the dc_cert.pem file during the creation wizard.

  9. Click Add to finalize and force the backend vmware-sts-idmd cache to build a new trust anchor.

Additional Information

 

 

Powered by Wolken Software