You can activate and deactivate smart card authentication, customize the login banner, and set up the revocation policy from the vSphere Client.

If smart card authentication is activated and other authentication methods are deactivated, users are then required to log in using smart card authentication.

If user name and password authentication are deactivated, and if problems occur with smart card authentication, users cannot log in. In that case, a root or administrator user can turn on user name and password authentication from the vCenter Server command line. The following command activates user name and password authentication.
sso-config.sh -set_authn_policy -pwdAuthn true -t tenant_name

Prerequisites

  • Verify that an enterprise Public Key Infrastructure (PKI) is set up in your environment, and that certificates meet the following requirements:
    • A User Principal Name (UPN) must correspond to an Active Directory account in the Subject Alternative Name (SAN) extension.
    • The certificate must specify Client Authentication in the Application Policy or Extended Key Usage field or the browser does not show the certificate.

  • Add an Active Directory identity source to vCenter Single Sign-On.
  • Assign the vCenter Server Administrator role to one or more users in the Active Directory identity source. Those users can then perform management tasks because they can authenticate and they have vCenter Server administrator privileges.
  • Ensure that you have set up the reverse proxy and restarted the physical or virtual machine.

Procedure

  1. Obtain the certificates and copy them to a folder that the sso-config utility can see.
    1. Log in to the vCenter Server console, either directly or by using SSH.
    2. Activate the shell, as follows.
      Command> shell
      chsh -s "/bin/bash" root
      chsh -s "bin/appliancesh" root
    3. Use WinSCP or a similar utility to copy the certificates to the /usr/lib/vmware-sso/vmware-sts/conf directory on the vCenter Server.
    4. Optionally deactivate the shell, as follows.
      chsh -s "/bin/appliancesh" root
  2. Log in with the vSphere Client to the vCenter Server.
  3. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  4. Navigate to the Configuration UI.
    1. From the Home menu, select Administration.
    2. Under Single Sign On, click Configuration.
  5. Under the Identity Provider tab, click Smart Card Authentication, then click Edit.
  6. Select or deselect authentication methods, and click Save.
    You cannot activate or deactivate RSA SecurID authentication from this Web interface. However, if RSA SecurID has been activated from the command line, the status appears in the Web interface.
    The Trusted CA certificates tab appears.
  7. Under the Trusted CA certificates tab:
    1. Click Add, and click Browse.
    2. Select a trusted CA certificate, and click Add.
  8. To add additional trusted CA certificates, repeat step 7.

What to do next

Your environment might require enhanced OCSP configuration.
  • If your OCSP response is issued by a different CA than the signing CA of the smart card, provide the OCSP signing CA certificate.
  • You can configure one or more local OCSP responders for each vCenter Server site in a multi-site deployment. You can configure these alternative OCSP responders using the CLI. See Manage Smart Card Authentication Using the CLI.