In vSphere 7.0 and later, external identity provider federation is the preferred authentication method for vCenter Server. You can still authenticate by using a smart card (UPN-based Common Access Card or CAC), or by using an RSA SecurID token.

Two-Factor Authentication Methods

Government agencies or large enterprises often require two-factor authentication. vSphere supports the following two-factor authentication methods.
External Identity Provider Federation
With external identity provider federation, you can use the authentication mechanisms supported by the external identity provider, including multi-factor authentication.
Smart Card Authentication
Smart card authentication allows access only to users who attach a physical card reader to the computer that they log in to. An example is Common Access Card (CAC) authentication.
The administrator can deploy the PKI so that the smart card certificates are the only client certificates that the CA issues. For such deployments, only smart card certificates are presented to the user. The user selects a certificate, and is prompted for a PIN. Only users who have both the physical card and the PIN that matches the certificate can log in.
RSA SecurID Authentication
For RSA SecurID authentication, your environment must include a correctly configured RSA Authentication Manager. If the vCenter Server is configured to point to the RSA server, and if RSA SecurID Authentication is activated, users can log in with their user name and token.
See the vSphere Blog post, RSA SecurID setup, for details.
Note: vCenter Single Sign-On supports only native SecurID. It does not support RADIUS authentication.

Specifying a vCenter Server Non-default Authentication Method

You can set up a nondefault authentication method from the vSphere Client, or by using the sso-config script.

  • For smart card authentication, you can perform the vCenter Single Sign-On setup from the vSphere Client or by using sso-config. Setup includes activating smart card authentication and configuring certificate revocation policies.
  • For RSA SecurID, you use the sso-config script to configure RSA Authentication Manager for the domain, and to enable RSA token authentication. You cannot configure RSA SecurID authentication from the vSphere Client. However, if you enable RSA SecurID, that authentication method appears in the vSphere Client.

Combining vCenter Server Authentication Methods

You can activate or deactivate each authentication method separately by using sso-config. Leave user name and password authentication enabled initially, while you are testing a two-factor authentication method, and set only one authentication method to enabled after testing.