You can use the sso-config utility to configure smart card authentication from the command line. The utility supports all smart card configuration tasks.

When you configure smart card authentication from the command line, you always set up the Platform Services Controller using the sso-config command first. Then you can perform other tasks by using the Platform Services Controller Web interface.

  1. Configure the Platform Services Controller so that the Web browser requests submission of the smart card certificate when the user logs in.
  2. Configure the authentication policy. You can configure the policy by using the sso-config script or the Platform Services Controller Web interface. Configuration of supported authentication types and revocation settings is stored in VMware Directory Service and replicated across all Platform Services Controller instances in a vCenter Single Sign-On domain.

If smart card authentication is enabled and other authentication methods are disabled, users are then required to log in using smart card authentication.

If login from the vSphere Web Client is not working, and if user name and password authentication is turned off, a root or administrator user can turn user name and password authentication back on from the Platform Services Controller command line by running the following command. The example is for Windows; for Linux, use
sso-config.bat -set_authn_policy -pwdAuthn true
You can find the sso-config script at the following locations:
Windows C:\Program Files\VMware\VCenter server\VMware Identity Services\sso-config.bat
Linux /opt/vmware/bin/


  • Verify that your environment uses Platform Services Controller version 6.0 Update 2 or later, and that you use vCenter Server version 6.0 or later. Upgrade version 5.5 nodes to version 6.0.
  • Verify that an enterprise Public Key Infrastructure (PKI) is set up in your environment, and that certificates meet the following requirements:
    • A User Principal Name (UPN) that corresponds to an Active Directory account in the Subject Alternative Name (SAN) extension.
    • Client Authentication must be specified in the Application Policy or Enhanced Key Usage field of a certificate, or the browser does not show that certificate.

  • Verify that the Platform Services Controller Web interface certificate is trusted by the end user’s workstation; otherwise, the browser does not attempt the authentication.
  • Configure an Active Directory identity source and add it to vCenter Single Sign-On as an identity source.
  • Assign the vCenter Server Administrator role to one or more users in the Active Directory identity source. Those users can then authenticate because they are in the Active Directory group, and they have vCenter Server administrator privileges. The administrator@vsphere.local user cannot perform smart card authentication.
  • If you want to use the Platform Services Controller HA solution in your environment, complete all HA configuration before you set up smart card authentication. See VMware Knowledge Base article 2112085 (Windows) or 2113315 (vCenter Server Appliance).


  1. Obtain the certificates and copy them to a folder that the sso-config utility can see.
    Option Description
    Windows Log in to the Platform Services Controller Windows installation and use WinSCP or a similar utility to copy the files.
    1. Log in to the appliance console, either directly or by using SSH.
    2. Enable the appliance shell, as follows.
      shell.set --enabled True
      chsh -s "/bin/bash" root
      csh -s "bin/appliance/sh" root
    3. Use WinSCP or a similar utility to copy the certificates to the /usr/lib/vmware-sso/vmware-sts/conf on the Platform Services Controller.
    4. Optionally disable the appliance shell, as follows.
      chsh -s "bin/appliancesh" root
  2. On each Platform Services Controller node, configure smart card authentication settings by using the sso-config CLI.
    1. Go to the directory where the sso-config script is located.
      Option Description
      Windows C:\Program Files\VMware\VCenter server\VMware Identity Services
      Appliance /opt/vmware/bin
    2. Run the following command:
      sso-config.[bat|sh] -set_tc_cert_authn -switch true -cacerts  [FirstTrustedCA.cer,SecondTrustedCA.cer,...]  -t tenant
      For example:
      sso-config.bat -set_tc_cert_authn -switch true -cacerts MySmartCA1.cer -t vsphere.local
    3. Restart the virtual or physical machine.
      service-control --stop vmware-stsd
      service-control --start vmware-stsd
  3. To enable smart cart authentication for VMware Directory Service (vmdir), run the following command.
    sso-config.[bat|sh] -set_authn_policy -certAuthn true -cacerts first_trusted_cert.cer,second_trusted_cert.cer  -t tenant
    For example:
    sso-config.[bat|sh] -set_authn_policy -certAuthn true -cacerts MySmartCA1.cer,MySmartCA2.cer  -t vsphere.local
    If you specify multiple certificates, spaces between certificates are not allowed.
  4. To disable all other authentication methods, run the following commands. -set_authn_policy -pwdAuthn false -t vsphere.local -set_authn_policy -winAuthn false -t vsphere.local -set_authn_policy -securIDAuthn false -t vsphere.local
    You can use these commands to enable and disable different authentication methods as needed.
  5. (Optional) To set a certificate policies allowlist, run the following command.
    sso-config.[bat|sh] -set_authn_policy -certPolicies policies
    To specify multiple policies, separate them with a command, for example:
    sso-config.bat -set_authn_policy -certPolicies 2.16.840.,2.16.840.
    This allowlist specifies object IDs of policies that are allowed in the certificate's certificate policy extension. An X509 certificate can have a Certificate Policy extension.
  6. (Optional) To list configuration information, run the following command.
    sso-config.[bat|sh] -get_authn_policy -t tenantName