OPERATIONAL DEFECT DATABASE
...
...
User cannot use smartcard/token to login to vCenter server 6.7 after upgrading from 6.5/6.0 vCenter Server.When a user tries to use smartcard/token to login to vCenter server 6.7, authentication fails with error message "Unable to validate submitted credential".Log file shows similar entries as below, vsphere.local 9b8225db-0929-4435-8cc0-c1695933c35e INFO com.vmware.identity.SsoController] Server SPN is HTTP/slk55.vmw.orgvsphere.local 9b8225db-0929-4435-8cc0-c1695933c35e INFO com.vmware.identity.SsoController] Accessing Tenant vsphere.local, brand name string nullINFO com.vmware.identity.SsoController] Welcome to SP-initiated AuthnRequest handler! The client locale is en_US, tenant is vsphere.localINFO com.vmware.identity.SsoController] Request URL is https://slk55.vmw.org/websso/SAML2/SSOCAC/vsphere.localvsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authn request proxyCount= null set isProxying=falsevsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authentication request validation succeededvsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.idm.server.clientcert.IdmCertificatePathValidator] Revocation check: offvsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.idm.server.clientcert.IdmCertificatePathValidator] Successfully validated client certificate : CN=SLK.340194304, OU=vmw, C=USvsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 WARN com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator] Unexpected DER type, ignoring (org.bouncycastle.asn1.ASN1ObjectIdentifier): 1.3.6.1.4.1.311.20.2.3vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator] Searching user with certificate SAN.vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 WARN com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator] Unexpected DER type, ignoring (org.bouncycastle.asn1.ASN1ObjectIdentifier): 1.3.6.1.4.1.311.20.2.3vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.idm.server.provider.PooledLdapConnectionFactory] New connection created in pool PooledLdapConnectionIdentity [tenantName=vsphere.local, username=null, authType=USE_KERBEROS, useGCPort=false, connectionString=ldap://WinAD.vmw.org]vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator] Validating user account altSecurityIdentities attribute.vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 ERROR com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.IDMException: Unable to authenticate with the credential. Failed retrieving altSecurityIdentities attribute for linked account: SLK@VMW.org 'com.vmware.identity.idm.IDMException: Unable to authenticate with the credential. Failed retrieving altSecurityIdentities attribute for linked account: SLK@VMW.org at com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator.accountValidationWithExplicitX509(IdmClientCertificateValidator.java:468) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator.certificateAccountMapping(IdmClientCertificateValidator.java:875) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:3337) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:9793) [vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.client.CasIdmClient.authenticate(CasIdmClient.java:1306) [vmware-identity-idm-client-7.0.0.jar:?] at com.vmware.identity.samlservice.impl.CasIdmAccessor.authenticate(CasIdmAccessor.java:481) [websso-..... at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_151] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.13] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_151]vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 ERROR com.vmware.identity.samlservice.impl.CasIdmAccessor] Caught exception.com.vmware.identity.idm.IDMException: Unable to authenticate with the credential. Failed retrieving altSecurityIdentities attribute for linked account: SLK@VMW.org at com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator.accountValidationWithExplicitX509(IdmClientCertificateValidator.java:468) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator.certificateAccountMapping(IdmClientCertificateValidator.java:875) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:3337) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:9793) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.client.CasIdmClient.authenticate(CasIdmClient.java:1306) ~[vmware-identity-idm-client-7.0.0.jar:?] at com.v....
This issue is resolved in vCenter Server 6.7 Update 1, available at VMware Downloads.
To workaround this issue, remove and re-add the Identity source. For more information see Add or Edit a vCenter Single Sign-On Identity Source in VMware Document.
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
