Whenever I connect to the web client, the browser isn't prompting me to select a certificate. There is almost no documentation for troubleshooting smart card authentication for the web client so I'm hoping that someone has been able to get it work.
Here's what I've done so far:
- I have the PSC configured for smart card authentication
- I have the root and issuing certificates loaded in the PSC
- I have an Active-Directory identity source configured (and tested)
- I've replaced the vCenter SSL certificates with trusted certs from our CA
- I've replaced the user certs in PSC with trusted certs from our CA
- The certs all have unique subjects and the FQDN in the subject-alt
I've tested this in IE and Chrome and the "Use Smart Card Authentication" checkbox is visible on the login page but the browser never prompts for the cert. I'm not getting any certificate errors (that I can see) and the SSO logs on the server aren't giving any errors. The smart card is working fine with other applications including other web-based authentications.
Here is some relevant output:
C:\Program Files\VMware\vCenter Server\VMware Identity Services>sso-config.bat -get_tc_cert_authn
***** Loading all the necessary jars from directory : C:\Program Files\VMware\vCenter Server\VMware Identity Services *****
***** Loaded JARs successfully *****
clientAuth: want
truststoreFile: C:\ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\conf\trustedca.jks
truststoreType: JKS
C:\Program Files\VMware\vCenter Server\VMware Identity Services>sso-config.bat -get_authn_policy -t vsphere.local
***** Loading all the necessary jars from directory : C:\Program Files\VMware\vCenter Server\VMware Identity Services *****
***** Loaded JARs successfully *****
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/C:/Program%20Files/VMware/vCenter%20Server/VMware%20Identity%20Services/slf4j-log4j12-1.6.4.jar
!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/C:/Program%20Files/VMware/vCenter%20Server/VMware%20Identity%20Services/lstool/lib/slf4j-log4j1
2-1.7.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
IsPasswordAuthEnabled: true
IsWindowsAuthEnabled: true
IsTLSClientCertAuthnEnabled: true
IsSecurIDAuthnEnabled: false
revocationCheckEnabled: false
useOCSP: false
sendOCSPNonce: false
useCRLAsFailOver: false
OCSPResponderSigningCert: UndefinedConfig
OCSPUrl: UndefinedConfig
useCertCRL: true
CRL CacheSize: 512
CRLUrl: UndefinedConfig
trustedCA: CN=XXX ROOT
trustedCA: CN=XXX ISSUING, DC=xxx, DC=com
Any help is certainly appreciated!!