Recently installed a fresh VCSA 6.7 and cannot get SmartCard authentication to work at all anymore, following the exact process used to get a 6.5 VCSA working a few weeks ago.

Any attempts get "Unable to validate submitted credential"

Actual domain xx.yy.mil

All users are in xx.yy.mil with UPN's of the format ###########@mil, and this UPN is listed in the certificates Subject Alt Name field

websso.log shows:

""""WARN ----- obtainDcInfo for domain [mil] failed Native platform error [code: 2453][NERR_DCNotFound]""""

-Not sure why its looking in the .mil domain vs the actual xx.yy.mil domain for the users.  This seems to be the root of the problem.

""""Failed to find active user with error [Failed to find Principal attribute value 100000000001@mil]""""

--This error makes sense after the first WARN error.

""""ERROR com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.IDMException: Failed in account linking using certificate SAN:  100000000001@mil""""

--Again, makes sense given the domain lookup isn't looking for the right domain.

========================

-All SSL certs are valid for the VCSA 6.7 and are CA signed, from same source as working 6.5 VCSA with smart card operational. Only the VCSA machine SSL cert was replaced.

-VCSA 6.7 was added to the domain, rebooted, verified on the domain (Win2012R2), AD identity source added, AD username/pw logins work, and admin users granted membership in sso groups and given global admin permissions to vcenter.

-reverse HTTP proxy config set, with same certs/file that the 6.5 VCSA used successfully.

-

Additional tasks undertaken:

-Removed from domain, re-added to domain - username/pw from the domain work just fine -- no changes

-Removed AD identity source and from domain, re-added to domain, re-added identity source

Any pointers or suggestions on what to do next would be appreciated.