I'm trying to setup smart card authentication for the VCSA 6.5. I setup the reverse proxy cert store and imported all my certs. It's on the domain.

When I choose smart card authentication at the web client, i choose my cert, and it fails with:

400 An error occured while processing the authentiaciton response from the vCenter Single Sign-On server.
Details: Status: urn.oasis:names:tc:SAML:2.0:status:Responder,sub status, null.

In the SSO logs (vmware-sts-idmd.log) it shows the following:

[2017-03-08T15:36:15.527Z vsphere.local        2e988764-0f42-4480-855b-85dcbdca00ef WARN ] [ActiveDirectoryProvider] obtainDcInfo for domain [my domain] failed Native platform error [code: 9502][DNS_ERROR_BAD_PACKET][A bad packet was received from a DNS server. Potentially the requested address does not exist.]

[2017-03-08T15:36:15.528Z vsphere.local        2e988764-0f42-4480-855b-85dcbdca00ef ERROR] [IdentityManager] Failed to get attributes for principal [my CAC ID] in tenant [vsphere.local]

[2017-03-08T15:36:15.528Z vsphere.local        2e988764-0f42-4480-855b-85dcbdca00ef ERROR] [ServerUtils] Exception 'java.lang.NullPointerException'

Reverse lookup isn't configured for our domain (no exceptions) so I tried adding the DC's to the host file on the appliance with no luck.

I also tried adding an identity source so it doesn't search the whole forest and only our DC's, but that also keeps failing.