VMware Cloud Community
thakala
Hot Shot
Hot Shot

DCUI Smart Card authentication not working

I am trying to setup smart card authentication for ESXi 6.5 DCUI access. I have Windows PKI infrastructure set up and smart card provisioned, I can use smart card to login to Windows desktop and RDP sessions. ESXi host is joined to AD, smart card authentication is enabled and Windows CA Root Certificate is imported into ESXi host smart card settings. However, DCUI login has not changed a bit, it does not require smart card, I can login using plain AD account just as before.

My smart card reader is Gemalto IDBridge CT40 and it is locally connected to ESXi host. Smart Card is Gemalto IDPrime 840.

Has anyone got this working?

update. I got smart card authentication working for SSO so I can login to vSphere Web Client using card and pin. Now I just need to get this working for ESXi host as well.

Tomi http://v-reality.info
Reply
0 Kudos
6 Replies
rcporto
Leadership
Leadership

Lockdown mode is enabled in your hosts? See: Using Smart Card Authentication in Lockdown Mode

---

Richardson Porto
Senior Infrastructure Specialist
LinkedIn: http://linkedin.com/in/richardsonporto
Reply
0 Kudos
thakala
Hot Shot
Hot Shot

No, it is not.

Tomi http://v-reality.info
Reply
0 Kudos
lancechou
Enthusiast
Enthusiast

I guess the reason you couldn't use your smart card to log in to dcui is because there's no middle-ware installed on ESXi for your smart card. As far as I know, it only works for DoD and Java card.

--Lance

lancechou
Enthusiast
Enthusiast

Sorry, not JAVA card. Only SafeNet and DoD are supported

thakala
Hot Shot
Hot Shot

My issue is not about card type (yet) as it seems that ESXi does not support my smart card reader.

I had to disable native USB driver to make ESXi see USB devices at all.

# esxcli system module set -m=vmkusb -e=FALSE

After this USB reader was detected by VMkernel but pcscd does not claim my reader, USB device remains available for pass through.

2017-05-14T10:29:37.746Z cpu2:65945)<6>usb 2-2: new full speed USB device number 7 using xhci_hcd

2017-05-14T10:29:37.895Z cpu2:65945)<6>usb 2-2: New USB device found, idVendor=08e6, idProduct=3437

2017-05-14T10:29:37.895Z cpu2:65945)<6>usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3

2017-05-14T10:29:37.895Z cpu2:65945)<6>usb 2-2: Product: USB SmartCard Reader

2017-05-14T10:29:37.895Z cpu2:65945)<6>usb 2-2: Manufacturer: Gemalto

2017-05-14T10:29:37.895Z cpu2:65945)<6>usb 2-2: SerialNumber: 67EF18E2

2017-05-14T10:29:37.896Z cpu2:65945)<6>usb 2-2: usbfs: registered usb0207

2017-05-14T10:29:38.900Z cpu1:67166)<6>usb 2-2: device is available for passthrough

Running pcscd on foreground with "pcscd -f -d -a" does not result any log messages when reader or card is connected.  Card reader product id 3437 is listed in /lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist. However pcscd seems to be very old, 1.8.5 which is from 2012, so it might have some issues.

I also tested this on CentOS Linux 7.3 which has pcscd 1.8.8 and on that pcscd recognizes my reader and card.

Tomi http://v-reality.info
Reply
0 Kudos
lancechou
Enthusiast
Enthusiast

Thanks for reporting the issue.

I've tried both SC650 and Omnikey readers but did not see any issues. We've ordered a Gemalto card reader for testing. If it does not work with the version of pcsclite in ESXi, I will update it.

Thanks,

Lance

Reply
0 Kudos