Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
User cannot use smartcard/token to login to vCenter server 6.7 after upgrading from 6.5/6.0 vCenter Server.When a user tries to use smartcard/token to login to vCenter server 6.7, authentication fails with error message "Unable to validate submitted credential".Log file shows similar entries as below, vsphere.local 9b8225db-0929-4435-8cc0-c1695933c35e INFO com.vmware.identity.SsoController] Server SPN is HTTP/slk55.vmw.orgvsphere.local 9b8225db-0929-4435-8cc0-c1695933c35e INFO com.vmware.identity.SsoController] Accessing Tenant vsphere.local, brand name string nullINFO com.vmware.identity.SsoController] Welcome to SP-initiated AuthnRequest handler! The client locale is en_US, tenant is vsphere.localINFO com.vmware.identity.SsoController] Request URL is https://slk55.vmw.org/websso/SAML2/SSOCAC/vsphere.localvsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authn request proxyCount= null set isProxying=falsevsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.samlservice.impl.AuthnRequestStateValidator] Authentication request validation succeededvsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.idm.server.clientcert.IdmCertificatePathValidator] Revocation check: offvsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.idm.server.clientcert.IdmCertificatePathValidator] Successfully validated client certificate : CN=SLK.340194304, OU=vmw, C=USvsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 WARN com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator] Unexpected DER type, ignoring (org.bouncycastle.asn1.ASN1ObjectIdentifier): 1.3.6.1.4.1.311.20.2.3vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator] Searching user with certificate SAN.vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 WARN com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator] Unexpected DER type, ignoring (org.bouncycastle.asn1.ASN1ObjectIdentifier): 1.3.6.1.4.1.311.20.2.3vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.idm.server.provider.PooledLdapConnectionFactory] New connection created in pool PooledLdapConnectionIdentity [tenantName=vsphere.local, username=null, authType=USE_KERBEROS, useGCPort=false, connectionString=ldap://WinAD.vmw.org]vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 INFO com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator] Validating user account altSecurityIdentities attribute.vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 ERROR com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.IDMException: Unable to authenticate with the credential. Failed retrieving altSecurityIdentities attribute for linked account: SLK@VMW.org 'com.vmware.identity.idm.IDMException: Unable to authenticate with the credential. Failed retrieving altSecurityIdentities attribute for linked account: SLK@VMW.org at com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator.accountValidationWithExplicitX509(IdmClientCertificateValidator.java:468) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator.certificateAccountMapping(IdmClientCertificateValidator.java:875) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:3337) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:9793) [vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.client.CasIdmClient.authenticate(CasIdmClient.java:1306) [vmware-identity-idm-client-7.0.0.jar:?] at com.vmware.identity.samlservice.impl.CasIdmAccessor.authenticate(CasIdmAccessor.java:481) [websso-..... at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_151] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.13] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_151]vsphere.local 1ae61a36-684a-46cf-bfc9-5ab02f1f9f65 ERROR com.vmware.identity.samlservice.impl.CasIdmAccessor] Caught exception.com.vmware.identity.idm.IDMException: Unable to authenticate with the credential. Failed retrieving altSecurityIdentities attribute for linked account: SLK@VMW.org at com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator.accountValidationWithExplicitX509(IdmClientCertificateValidator.java:468) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.clientcert.IdmClientCertificateValidator.certificateAccountMapping(IdmClientCertificateValidator.java:875) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:3337) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.server.IdentityManager.authenticate(IdentityManager.java:9793) ~[vmware-identity-idm-server-7.0.0.jar:?] at com.vmware.identity.idm.client.CasIdmClient.authenticate(CasIdmClient.java:1306) ~[vmware-identity-idm-client-7.0.0.jar:?] at com.v....
This issue is resolved in vCenter Server 6.7 Update 1, available at VMware Downloads.
To workaround this issue, remove and re-add the Identity source. For more information see Add or Edit a vCenter Single Sign-On Identity Source in VMware Document.