I am trying to setup smart card authentication for ESXi 6.5 DCUI access. I have Windows PKI infrastructure set up and smart card provisioned, I can use smart card to login to Windows desktop and RDP sessions. ESXi host is joined to AD, smart card authentication is enabled and Windows CA Root Certificate is imported into ESXi host smart card settings. However, DCUI login has not changed a bit, it does not require smart card, I can login using plain AD account just as before.
My smart card reader is Gemalto IDBridge CT40 and it is locally connected to ESXi host. Smart Card is Gemalto IDPrime 840.
Has anyone got this working?
update. I got smart card authentication working for SSO so I can login to vSphere Web Client using card and pin. Now I just need to get this working for ESXi host as well.
Lockdown mode is enabled in your hosts? See: Using Smart Card Authentication in Lockdown Mode
No, it is not.
I guess the reason you couldn't use your smart card to log in to dcui is because there's no middle-ware installed on ESXi for your smart card. As far as I know, it only works for DoD and Java card.
--Lance
Sorry, not JAVA card. Only SafeNet and DoD are supported
My issue is not about card type (yet) as it seems that ESXi does not support my smart card reader.
I had to disable native USB driver to make ESXi see USB devices at all.
# esxcli system module set -m=vmkusb -e=FALSE
After this USB reader was detected by VMkernel but pcscd does not claim my reader, USB device remains available for pass through.
2017-05-14T10:29:37.746Z cpu2:65945)<6>usb 2-2: new full speed USB device number 7 using xhci_hcd
2017-05-14T10:29:37.895Z cpu2:65945)<6>usb 2-2: New USB device found, idVendor=08e6, idProduct=3437
2017-05-14T10:29:37.895Z cpu2:65945)<6>usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
2017-05-14T10:29:37.895Z cpu2:65945)<6>usb 2-2: Product: USB SmartCard Reader
2017-05-14T10:29:37.895Z cpu2:65945)<6>usb 2-2: Manufacturer: Gemalto
2017-05-14T10:29:37.895Z cpu2:65945)<6>usb 2-2: SerialNumber: 67EF18E2
2017-05-14T10:29:37.896Z cpu2:65945)<6>usb 2-2: usbfs: registered usb0207
2017-05-14T10:29:38.900Z cpu1:67166)<6>usb 2-2: device is available for passthrough
Running pcscd on foreground with "pcscd -f -d -a" does not result any log messages when reader or card is connected. Card reader product id 3437 is listed in /lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist. However pcscd seems to be very old, 1.8.5 which is from 2012, so it might have some issues.
I also tested this on CentOS Linux 7.3 which has pcscd 1.8.8 and on that pcscd recognizes my reader and card.
Thanks for reporting the issue.
I've tried both SC650 and Omnikey readers but did not see any issues. We've ordered a Gemalto card reader for testing. If it does not work with the version of pcsclite in ESXi, I will update it.
Thanks,
Lance