Mr Mitchell,

Thank you very much for pointing me in this direction.  I did not check those pre-requisites and it appears there's a number of them I haven't completed yet.  I'll implement them and see how it goes.

Within this document there is a bullet point under the prerequisites that says:

Verify that the Platform Services Controller Web interface certificate is trusted by the end user’s workstation; otherwise, the browser does not attempt the authentication.

Since you said you're getting a certificate warning I'm thinking you're hitting this caveat. Can you add the cert (or better yet, the cert's root) to your trusted root authority? That should enable your browser to trust the cert.

After going through those pre-requisites, it appears I did do all the prerequisites.  What I didn't do what add the certificates to Tomcat using the sso-config command.  After doing those steps, it worked like a charm.  I still get the certificate trust window, but that will go away when I get a vCenter certificate from my real CA.

the Web Client now prompts me for a certificate, however it still only lists certificates from my primary card reader... but that is likely a problem external to vSphere.

One thing to note that's wrong in the VMWare doc: it shows that when running sso-config.bat that you have a space between different certificates. This is wrong, there should be no space. The format should be:

sso-config.[bat|sh] -set_tc_cert_authn -switch true -cacerts first_trusted_cert.cer,second_trusted_cert.cer -t tenant

Ok so I am trying to get this to work. I too am at the point that the original poster was at. Where my browser isn't even trying to read the smart card. Same screenshot as his.

I have a few question because as others mentioned the documentation is quite sparse.

The documentation says run:

sso-config.[bat|sh] -set_authn_policy -certAuthn true -cacerts first_trusted_cert.cer, second_trusted_cert.cer -t tenant

Can someone please explain to me the sso-config.[bat|sh] portion of the command. If I put that in the appliance doesn't recognize it.

If I do sso-config.bat ........ that doesnt work either. The only syntax that seems to work is sso-config.sh -set.....

If the command is simply sso-config.sh  why the heck does vmware put sso-config.[bat|sh].

I'm not strong in Linux style commands so this is confusing.

Also what if I have 3 CA certs in my chain instead of 2? Can I just add another one to the command no problems? Also does the order of certs matter in which I place them in that long command?

Lastly, I accessed the PSC via the web console and installed all 3 CA certs in our chain. Do I ALSO need to run the sso-config.sh command?

I know I'm close but I'm flying blind here.

cyberfed2727,

I'm asking myself the same questions you did and wondering if you found a solution that you could share.

Thanks!

No I never got it to work and my trial for 6.0 lab ran out. I have not revisited the issue.

We are moving to a new converged hardware platform that will have 6.0 on it. At that point I will try again to get it working.

Bummer. Ok, thanks for at least replying. I'm attempting to work through it now and might just call support if I need help. The thing that confuses me, like you, is that the GUI option is basically telling you to do it in two places?! I don't get that!

I hear you. VMware's documentation is terrible most of the time.

If you get it working please share here. It'll help me and others in the future.

Cheers mate.

Got it working and it wasn't that bad. I'm not honestly sure if I did it 100% correct, but it does appear to be working.

I got a total of 6 certs from my AD/PKI people and used that crazy command line to add them all in. Why we're doing that, I don't know because the docs don't explain that well. I also added those same 6 certs in via the PSC gui. Again, why we do it here also, I do not know. But with those certs in place, in both locations, the webclient will prompt for my PIV cert, ask for my PIN, and then auth me in.

I put all the certs in /usr/lib/vmware-sso/vmware-sts/conf as the doc states using winscp. Then I navigated to that directory and ran:

"/opt/vmware/bin/sso-config.sh -set_tc_cert_authn -switch true -cacerts certname1.cer,certname2,certname3 -t vsphere.local"

Awesome, much appreciated!

We have vCenter 6.5 with the same problem.  The error "Make sure the smart card is inserted properly" appears in IE, Chrome, Firefox.  The 6.0 documentation shows the command sso-config.[bat|sh] -set_tc_cert_authn.  The 6.5 documentation does not show the "-set_tc_authn" switch.  Is it no longer needed in for 6.5 implementations ?

Also what does the word "tenant" mean in the sso-config command?  Some of us are wondering if this is referring to strictly a "VMware" object or to the Active Directory object we are using as an Identity Source.