VMware Cloud Community
mikepodoherty
Expert
Expert
‎05-29-2008 10:12 AM
Jump to solution

Smart Card login to VirtualCenter

Folks,

I just want to make sure that my understanding of the process is correct.

VirtualCenter server configured to use AD authentication and AD account added to virtual center.

AD set to use smart card (pki) authtentication.

No additional configuration required for VirtualCenter client - smart card login passed to AD for authentication.

Is it really that simple or have I missed something in the documentation?

thanks.

Mike

0 Kudos
1 Solution

Accepted Solutions
Jasemccarty
Immortal
Immortal
‎11-04-2008 06:10 AM
Jump to solution

There's another thread talking about this right now. VC to VM Console SSO/Authentication.

http://communities.vmware.com/message/1090180

Think of the VM Console the same as attaching a KVM (Keyboard, Video, Mouse) to a VM, in the same fashion as you would on a physical box.

The VM Console is behaving much the same way. You'd have to modify "KVMness" of the VM Console to plugin to the guest, using some type of app/service that ties into the logon process of the guest.

Keep in mind, if you do find success doing this, you'll need to limit your guest's number of active terminals to 1, otherwise more than 1 user can be attached to the console at a single time.

Add this line to your .vmx file, and it will limit it to 1 console session:

RemoteDisplay.maxConnections = 1

Cheers,

Jase

Jase McCarty

http://www.jasemccarty.com

Co-Author of VMware ESX Essentials in the Virtual Data Center

(ISBN:1420070274) from Auerbach

Jase McCarty - @jasemccarty

View solution in original post

0 Kudos
6 Replies
Jasemccarty
Immortal
Immortal
‎05-29-2008 10:44 AM
Jump to solution

If you log into a system in the same domain as VirtualCenter, and use the client with the -passthroughAuth -s vchostname added to the end of the shortcut, it will pass your currently logged on credentials to the VirtualCenter server. This is true for VirtualCenter (and VI Client 2.5 and above).

In this case, you would not need the VI Client to natively support Smart Card authentication.

Here's a good article regarding this:

Jase McCarty

http://www.jasemccarty.com

Co-Author of VMware ESX Essentials in the Virtual Data Center

(ISBN:1420070274) from Auerbach

Jase McCarty - @jasemccarty
mikepodoherty
Expert
Expert
‎05-29-2008 10:54 AM
Jump to solution

Thanks for the helpful information.

I'm not really loking to passthru the credentials of the currently logged in user. I'm looking at requiring each administrative account to have its own smart card. The process would be the user uses his/her normal account to log onto network. But if the user needs to perform administrative work within VirtualCenter, then the user would use a second smart card reader and a special smart card tied to their administrator to log on using the VC client software.

Hope this clarifies the question.

Mike

0 Kudos
mikepodoherty
Expert
Expert
‎07-15-2008 08:47 AM
Jump to solution

Update - tested using smart card tied to admin account while logged into network on normal account. Opened VirtualCenter client and was asked for login name - no option to select smart card.

Note - this is VirtualCenter 2.0.1, we are in the process of upgrading to VC 2.5 and will test again once the upgrade is complete.

Mike

0 Kudos
gary1012
Expert
Expert
‎07-15-2008 09:06 AM
Jump to solution

Yup, VC 2.5 is the first version that offers smart card authentication. My company uses smart card as a secondary login for administrators. The way I get it to work is use the -passthroughAuth option mentioned above but then invoke the runas option by right-clicking on the shortcut. Once the runas dialog box opens, change the user to the smart card credentials. This has worked for me without issue for the past few months. Hope this helps...

Community Supported, Community Rewarded - Please consider marking questions answered and awarding points to the correct post. It helps us all.
MarkBK
Contributor
Contributor
‎11-04-2008 05:19 AM
Jump to solution

After you are logged into VC with the passthrough option, is there any way to log onto the console of a VM using the Smart Card?

0 Kudos
Jasemccarty
Immortal
Immortal
‎11-04-2008 06:10 AM
Jump to solution

There's another thread talking about this right now. VC to VM Console SSO/Authentication.

http://communities.vmware.com/message/1090180

Think of the VM Console the same as attaching a KVM (Keyboard, Video, Mouse) to a VM, in the same fashion as you would on a physical box.

The VM Console is behaving much the same way. You'd have to modify "KVMness" of the VM Console to plugin to the guest, using some type of app/service that ties into the logon process of the guest.

Keep in mind, if you do find success doing this, you'll need to limit your guest's number of active terminals to 1, otherwise more than 1 user can be attached to the console at a single time.

Add this line to your .vmx file, and it will limit it to 1 console session:

RemoteDisplay.maxConnections = 1

Cheers,

Jase

Jase McCarty

http://www.jasemccarty.com

Co-Author of VMware ESX Essentials in the Virtual Data Center

(ISBN:1420070274) from Auerbach

Jase McCarty - @jasemccarty
0 Kudos