You can enable and disable smart card authentication, customize the login banner, and set up the revocation policy from the Platform Services Controller Web interface.

If smart card authentication is enabled and other authentication methods are disabled, users are then required to log in using smart card authentication.

If user name and password authentication are disabled, and if problems occur with smart card authentication, users cannot log in. In that case, a root or administrator user can turn on user name and password authentication from the Platform Services Controller command line. The following command enables user name and password authentication.
OS Command
sso-config.bat -set_authn_policy 
-pwdAuthn true -t <tenant_name>

If you use the default tenant, use vsphere.local as the tenant name.

Linux -set_authn_policy -pwdAuthn true
-t <tenant_name>

If you use the default tenant, use vsphere.local as the tenant name.


  • Verify that your environment uses Platform Services Controller version 6.5, and that you use vCenter Server version 6.0 or later. Platform Services Controller version 6.0 Update 2 supports smart card authentication, but the setup procedure is different.
  • Verify that an enterprise Public Key Infrastructure (PKI) is set up in your environment, and that certificates meet the following requirements:
    • A User Principal Name (UPN) must correspond to an Active Directory account in the Subject Alternative Name (SAN) extension.
    • The certificate must specify Client Authentication in the Application Policy or Enhanced Key Usage field or the browser does not show the certificate.

  • Verify that the Platform Services Controller Web interface certificate is trusted by the end user’s workstation. Otherwise, the browser does not attempt the authentication.
  • Add an Active Directory identity source to vCenter Single Sign-On.
  • Assign the vCenter Server Administrator role to one or more users in the Active Directory identity source. Those users can then perform management tasks because they can authenticate and they have vCenter Server administrator privileges.
    Note: The administrator of the vCenter Single Sign-On domain, administrator@vsphere.local by default, cannot perform smart card authentication.
  • Set up the reverse proxy and restart the physical or virtual machine.


  1. Obtain the certificates and copy them to a folder that the sso-config utility can see.
    Option Description
    Windows Log in to the Platform Services Controller Windows installation and use WinSCP or a similar utility to copy the files.
    1. Log in to the appliance console, either directly or by using SSH.
    2. Enable the appliance shell, as follows.
      chsh -s "/bin/bash" root
      csh -s "bin/appliance/sh" root
    3. Use WinSCP or a similar utility to copy the certificates to the /usr/lib/vmware-sso/vmware-sts/conf on the Platform Services Controller.
    4. Optionally disable the appliance shell, as follows.
      chsh -s "bin/appliancesh" root
  2. From a Web browser, connect to the vSphere Web Client or the Platform Services Controller.
    Option Description
    vSphere Web Client https://vc_hostname_or_IP/vsphere-client
    Platform Services Controller https://psc_hostname_or_IP/psc

    In an embedded deployment, the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address.

  3. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  4. Navigate to the vCenter Single Sign-On configuration UI.
    Option Description
    vSphere Web Client
    1. From the Home menu, select Administration.
    2. Under Single Sign-On, click Configuration.
    Platform Services Controller Click Single Sign-On and click Configuration.
  5. Click Smart Card Configuration, and select the Trusted CA certificates tab.
  6. To add one or more trusted certificates, click Add Certificate, click Browse, select all certificates from trusted CAs, and click OK.
  7. To specify the authentication configuration, click Edit next to Authentication Configuration and select or deselect authentication methods.
    You cannot enable or disable RSA SecurID authentication from this Web interface. However, if RSA SecurID has been enabled from the command line, the status appears in the Web interface.

What to do next

Your environment might require enhanced OCSP configuration.
  • If your OCSP response is issued by a different CA than the signing CA of the smart card, provide the OCSP signing CA certificate.
  • You can configure one or more local OCSP responders for each Platform Services Controller site in a multi-site deployment. You can configure these alternative OCSP responders using the CLI. See Use the Command Line to Manage Smart Card Authentication.