You can set up your environment to require smart card authentication when a user connects to a vCenter Server or associated Platform Services Controller from the vSphere Web Client.

Smart Card Authentication Login

A smart card is a small plastic card with an embedded integrated circuit chip. Many government agencies and large enterprises use smart cards such as Common Access Card (CAC) to increase the security of their systems and to comply with security regulations. A Common Access Card is used in environments where each machine includes a smart card reader, and where smart card hardware drivers that manage Common Access Card are typically preinstalled.

When you configure smart card authentication for vCenter Single Sign-On, users who log in to a vCenter Server or Platform Services Controller system are prompted to authenticate with a smart card and PIN combination, as follows:

  1. When the user inserts the smart card into the smart card reader, vCenter Single Sign-On reads the certificates on the card.
  2. vCenter Single Sign-On prompts the user to select a certificate, and then prompts the user for the PIN for that certificate.
  3. vCenter Single Sign-On checks whether the certificate on the smart card is known and whether the PIN is correct. If the revocation checking is turned on, vCenter Single Sign-On also checks whether the certificate is revoked.
  4. If the certificate is known, and is not a revoked certificate, the user is authenticated and can then perform tasks that user has permissions for.
Note: In most cases, it makes sense to leave user name and password authentication enabled during testing. After testing is complete, disable user name and password authentication and enable smart card authentication. After that, the vSphere Client allows only smart card login. Only users with root or administrator privileges on the machine can reenable user name and password by logging into the Platform Services Controller directly.