You can enable and disable smart card authentication, customize the login banner, and set up the revocation policy from the Platform Services Controller Web interface.

When you configure smart card authentication from the command line, you always set up the Platform Services Controller using the sso-config command first. Then you can perform other tasks by using the Platform Services Controller Web interface.

  1. Configure the Platform Services Controller so that the Web browser requests submission of the smart card certificate when the user logs in.
  2. Configure the authentication policy. You can configure the policy by using the sso-config script or the Platform Services Controller Web interface. Configuration of supported authentication types and revocation settings is stored in VMware Directory Service and replicated across all Platform Services Controller instances in a vCenter Single Sign-On domain.

If smart card authentication is enabled and other authentication methods are disabled, users are then required to log in using smart card authentication.

If login from the vSphere Web Client is not working, and if user name and password authentication is turned off, a root or administrator user can turn user name and password authentication back on from the Platform Services Controller command line by running the following command. The example is for Windows; for Linux, use
sso-config.bat -set_authn_policy -pwdAuthn true


  • Verify that your environment uses Platform Services Controller version 6.0 Update 2 or later, and that you use vCenter Server version 6.0 or later. Upgrade version 5.5 nodes to version 6.0.
  • Verify that an enterprise Public Key Infrastructure (PKI) is set up in your environment, and that certificates meet the following requirements:
    • A User Principal Name (UPN) that corresponds to an Active Directory account in the Subject Alternative Name (SAN) extension.
    • Client Authentication must be specified in the Application Policy or Enhanced Key Usage field of a certificate, or the browser does not show that certificate.

  • Verify that the Platform Services Controller Web interface certificate is trusted by the end user’s workstation; otherwise, the browser does not attempt the authentication.
  • Configure an Active Directory identity source and add it to vCenter Single Sign-On as an identity source.
  • Assign the vCenter Server Administrator role to one or more users in the Active Directory identity source. Those users can then authenticate because they are in the Active Directory group, and they have vCenter Server administrator privileges. The administrator@vsphere.local user cannot perform smart card authentication.
  • If you want to use the Platform Services Controller HA solution in your environment, complete all HA configuration before you set up smart card authentication. See VMware Knowledge Base article 2112085 (Windows) or 2113315 (vCenter Server Appliance).


  1. Obtain the certificates and copy them to a folder that the sso-config utility can see.
    Option Description
    Windows Log in to the Platform Services Controller Windows installation and use WinSCP or a similar utility to copy the files.
    1. Log in to the appliance console, either directly or by using SSH.
    2. Enable the appliance shell, as follows.
      shell.set --enabled True
      chsh -s "/bin/bash" root
      csh -s "bin/appliance/sh" root
    3. Use WinSCP or a similar utility to copy the certificates to the /usr/lib/vmware-sso/vmware-sts/conf on the Platform Services Controller.
    4. Optionally disable the appliance shell, as follows.
      chsh -s "bin/appliancesh" root
  2. On each Platform Services Controller node, configure smart card authentication settings by using the sso-config CLI.
    1. Go to the directory where the sso-config script is located.
      Option Description
      Windows C:\Program Files\VMware\VCenter server\VMware Identity Services
      Appliance /opt/vmware/bin
    2. Run the following command:
      sso-config.[bat|sh] -set_tc_cert_authn -switch true -cacerts  [FirstTrustedCA.cer,SecondTrustedCA.cer,...]  -t tenant
      For example:
      sso-config.bat -set_tc_cert_authn -switch true -cacerts MySmartCA1.cer,MySmartCA2.cer -t vsphere.local
      Separate multiple certificates with commas, but do not put spaces after the comma.
    3. Restart the virtual or physical machine.
      service-control --stop vmware-stsd
      service-control --start vmware-stsd
  3. From a Web browser, connect to the Platform Services Controller by specifying the following URL:
    In an embedded deployment, the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address.
  4. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  5. Browse to Single Sign-On > Configuration.
  6. Click Smart Card Configuration, and select the Trusted CA certificates tab.
  7. To add one or more trusted certificates, click Add Certificate, click Browse, select all certificates from trusted CAs, and click OK.
  8. To specify the authentication configuration, click Edit next to Authentication Configuration and select or deselect authentication methods.
    You cannot enable or disable RSA SecurID authentication from this Web interface. However, if RSA SecurID has been enabled from the command line, the status appears in the Web interface.