vCenter Single Sign-On allows you to authenticate by using the name and password of a user in an identity source that is known to vCenter Single Sign-On, or using Windows session authentication for Active Directory identity sources. Starting with vSphere 6.0 Update 2, you can also authenticate by using a smart card (UPN-based Common Access Card or CAC), or by using an RSA SecurID token.

Two-Factor Authentication Methods

The two-factor authentication methods are often required by government agencies or large enterprises.

Common Access Card (CAC) Authentication

CAC authentication allows access only to users who attach a physical card to the USB drive of the computer where they log in. If the PKI is deployed so that the smart card certificates are the only client certificates that are issued by the CA, then only smart card certificates are presented to the user. The user selects a certificate, and is then prompted for a PIN. Only users who have both the physical card and the PIN that matches the certificate can log in.

RSA SecurID Authentication

For RSA SecureID authentication, your environment must include a correctly configured RSA Authentication Manager. If the Platform Services Controller is configured to point to the RSA server, and if RSA SecurID Authentication is enabled, users can then log in with their user name and token.


vCenter Single Sign-On supports only native SecurID, it does not support RADIUS authentication.

Specifying a Non-Default Authentication Method

Administrators can perform the setup from the Platform Services Controller Web interface, or by using the sso-config script (sso-config.bat on Windows and on the appliance).

  • For Common Access Card authentication, you set up your Web browser by using the sso-config script, and you can perform the vCenter Single Sign-On setup from the Platform Services Controller Web interface or by using sso-config. Setup includes enabling CAC authentication, configuring certificate revocation policies, and setting up a login banner.

  • For RSA SecureID, you use the sso-config script to configure RSA Authentication Manager for the domain, and to enable RSA token authetication. The authentication method displays in the Platform Services Controller Web interface if enabled, but you cannot configure RSA SecureID authentication from the Web interface.

Combining Different Authentication Methods

You can enable or disable each authentication method separately using sso-config. It might make sense, for example, to leave user name and password authentication enabled initially while you are testing one of the two-factor authentication methods, and to then set only one authentication method as enabled.