A smart card is a small plastic card with an embedded integrated circuit chip. Many government agencies and large enterprises use smart cards such as Common Access Card (CAC) to increase the security of their systems and to comply with security regulations. A smart card is used in environments where each machine includes a smart card reader. Smart card hardware drivers that manage the smart card are typically preinstalled.

Note: In vSphere 7.0 Update 2 and later, you can enable FIPS on vCenter Server. See the vSphere Security documentation. RSA SecureID and CAC authentication are not supported when FIPS is enabled. Use external identity provider federation for MFA authentication. See Configuring vCenter Server Identity Provider Federation.

Users who log in to a vCenter Server system are prompted to authenticate with a smart card and PIN combination, as follows.

  1. When a user inserts the smart card into the smart card reader, the browser reads the certificates on the card.
  2. The browser prompts the user to select a certificate, then prompts the user for the PIN for that certificate.
  3. vCenter Single Sign-On checks whether the certificate on the smart card is known. If revocation checking is turned on, vCenter Single Sign-On also checks whether the certificate is revoked.
  4. If the certificate is known to vCenter Single Sign-On, and is not a revoked certificate, the user is authenticated and can perform tasks for which that the user has permissions.
Note: It usually makes sense to leave user name and password authentication enabled during testing. After testing is complete, deactivate user name and password authentication and activate smart card authentication. Subsequently, the vSphere Client allows only smart card login. Only users with root or administrator privileges on the machine can reactivate user name and password authentication by logging in to the vCenter Server directly.