You can use the sso-config utility to manage smart card authentication from the command line. The utility supports all smart card configuration tasks.
Windows | C:\Program Files\VMware\VCenter server\VMware Identity Services\sso-config.bat |
Linux | /opt/vmware/bin/sso-config.sh |
Configuration of supported authentication types and revocation settings is stored in VMware Directory Service and replicated across all Platform Services Controller instances in a vCenter Single Sign-On domain.
OS | Command |
---|---|
Windows | sso-config.bat -set_authn_policy -pwdAuthn true -t <tenant_name> If you use the default tenant, use vsphere.local as the tenant name. |
Linux | sso-config.sh -set_authn_policy -pwdAuthn true -t <tenant_name> If you use the default tenant, use vsphere.local as the tenant name. |
If you use OCSP for revocation check, you can rely on the default OCSP specified in the smart card certificate AIA extension. You can also override the default and configure one or more alternative OCSP responders. For example, you can set up OCSP responders that are local to the vCenter Single Sign-On site to process the revocation check request.
Prerequisites
- Verify that your environment uses Platform Services Controller version 6.5, and that you use vCenter Server version 6.0 or later. Platform Services Controller version 6.0 Update 2 supports smart card authentication, but the setup procedure is different.
- Verify that an enterprise Public Key Infrastructure (PKI) is set up in your environment, and that certificates meet the following requirements:
- A User Principal Name (UPN) must correspond to an Active Directory account in the Subject Alternative Name (SAN) extension.
-
The certificate must specify Client Authentication in the Application Policy or Enhanced Key Usage field or the browser does not show the certificate.
- Verify that the Platform Services Controller Web interface certificate is trusted by the end user’s workstation. Otherwise, the browser does not attempt the authentication.
- Add an Active Directory identity source to vCenter Single Sign-On.
- Assign the vCenter Server Administrator role to one or more users in the Active Directory identity source. Those users can then perform management tasks because they can authenticate and they have vCenter Server administrator privileges.
Note: The administrator of the vCenter Single Sign-On domain, [email protected] by default, cannot perform smart card authentication.
- Set up the reverse proxy and restart the physical or virtual machine.