You can use smart card authentication to log in to the ESXi Direct Console User Interface (DCUI) by using a Personal Identity Verification (PIV), Common Access Card (CAC) or SC650 smart card instead specifying a user name and password.
A smart card is a small plastic card with an embedded integrated circuit chip. Many government agencies and large enterprises use smart card based two-factor authentication to increase the security of their systems and comply with security regulations.
When smart card authentication is enabled on an ESXi host, the DCUI prompts for a smart card and PIN combination instead of the default prompt for a user name and password.
- When you insert the smart card into the smart card reader, the ESXi host reads the credentials on it.
- The ESXi DCUI displays your login ID, and prompts for your PIN.
- After you enter your PIN, the ESXi host matches it with the PIN stored on the smart card and verifies the certificate on the smart card with Active Directory.
- After successful verification of the smart card certificate, ESXi logs you in to the DCUI.
You can switch to user name and password authentication from the DCUI by pressing F3.
The chip on the smart card locks after a few consecutive incorrect PIN entries, usually three. If a smart card is locked, only selected personnel can unlock it.
Activate Smart Card Authentication
Activate smart card authentication to prompt for smart card and PIN combination to log in to the ESXi DCUI.
Prerequisites
- Set up the infrastructure to handle smart card authentication, such as accounts in the Active Directory domain, smart card readers, and smart cards.
- Configure ESXi to join an Active Directory domain that supports smart card authentication. For more information, see Using Active Directory to Manage ESXi Users.
- Use the vSphere Client to add root certificates. See Managing Certificates for ESXi Hosts.
Procedure
Deactivate Smart Card Authentication
Deactivate smart card authentication to return to the default user name and password authentication for ESXi DCUI login.
Procedure
Authenticating With User Name and Password in Case of Connectivity Problems
If the Active Directory (AD) domain server is not reachable, you can log in to the ESXi DCUI by using user name and password authentication to perform emergency actions on the host.
In exceptional circumstances, the AD domain server is not reachable to authenticate the user credentials on the smart card because of connectivity problems, network outage, or disasters. In that case, you can log in to the ESXi DCUI by using the credentials of a local ESXi Administrator user. After logging in, you can perform diagnostics or other emergency actions. The fallback to user name and password login is logged. When the connectivity to AD is restored, smart card authentication is enabled again.
Using Smart Card Authentication in Lockdown Mode
When activated, lockdown mode on the ESXi host increases the security of the host and limits access to the DCUI. Lockdown mode might cause the smart card authentication to no longer work.
In normal lockdown mode, only users on the Exception Users list with administrator privileges can access the DCUI. Exception users are host local users or Active Directory users with permissions defined locally for the ESXi host. If you want to use smart card authentication in normal lockdown mode, you must add users to the Exception Users list from the vSphere Client. These users do not lose their permissions when the host enters normal lockdown mode and can log in to the DCUI. For more information, see Specify Lockdown Mode Exception Users.
In strict lockdown mode, the DCUI service is stopped. As a result, you cannot access the host by using smart card authentication.