VMware Cloud Community
MatthewFB
Enthusiast
Enthusiast
‎02-17-2021 04:27 PM
Jump to solution

vCenter Console - pass through smartcard for console login via browser....

Hello everyone,

Sadly it seems past threads on this lead to dead threads so I was unable to find a definitive answer, one from 2008 which then references one that is invalid
https://communities.vmware.com/t5/vCenter-Server-Discussions/Smart-Card-login-to-VirtualCenter/m-p/2...


I wished to ask, is it possible for an end user on their device (laptop / desktop) who logs into vCenter already using their SmartCard (Yubikey to be exact), then be able to use that same YubiKey to log into a VM, via a console connection via the browser?

This one guide I found, does not have an USB icon as it suggests. And this would also not be a share smartcard, but a users individual one.
https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.vm_admin.doc/GUID-4318B74A-7142-496...

My searching is coming up blank with any solid yes or no answer thus far so perhaps someone here can help me out?

0 Kudos
1 Solution

Accepted Solutions
Lalegre
Virtuoso
Virtuoso
‎02-18-2021 02:47 AM
Jump to solution

Hey @MatthewFB,

Never worked with Smartcards before but I've worked with some USB passthrough devices. Of course this will depend on how Yubikey works (which is very specific and I am not familiar with).

I just checked on internet that this Yubikey is a smart card key which is connected to the client computer. First of all is important differentiate that the Smart Card as a 2FA for vCenter is different that login into the VMRC console. However you can use it for both.

For the vCenter 2FA setup you need to follow the steps in the next section: https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-08DF3B90-85C6-4CBB-B87C-CEF380...

Once you accomplish that setup you need to follow the steps for doing the passthrough of the USB key to the virtual machines you are trying to connect which is pretty straight forward as the VMs have a USB Controller by default. Check in the next page if the USB controller the VM has is compatible with the USB version of the key: https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.vm_admin.doc/GUID-EC20F765-4C1A-4D0...

After doing just follow the steps that appears in the next section:https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.vm_admin.doc/GUID-879E3BDF-460A-454...

NOTE: take into account that this does not work from user, you need the VMRC application for it to work to be downloaded (this answer the question you did on second paragrapth). Maybe the users are not allowed to have the VMRC application but maybe this is something you would like to review.

View solution in original post

2 Replies
Lalegre
Virtuoso
Virtuoso
‎02-18-2021 02:47 AM
Jump to solution

Hey @MatthewFB,

Never worked with Smartcards before but I've worked with some USB passthrough devices. Of course this will depend on how Yubikey works (which is very specific and I am not familiar with).

I just checked on internet that this Yubikey is a smart card key which is connected to the client computer. First of all is important differentiate that the Smart Card as a 2FA for vCenter is different that login into the VMRC console. However you can use it for both.

For the vCenter 2FA setup you need to follow the steps in the next section: https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-08DF3B90-85C6-4CBB-B87C-CEF380...

Once you accomplish that setup you need to follow the steps for doing the passthrough of the USB key to the virtual machines you are trying to connect which is pretty straight forward as the VMs have a USB Controller by default. Check in the next page if the USB controller the VM has is compatible with the USB version of the key: https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.vm_admin.doc/GUID-EC20F765-4C1A-4D0...

After doing just follow the steps that appears in the next section:https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.vm_admin.doc/GUID-879E3BDF-460A-454...

NOTE: take into account that this does not work from user, you need the VMRC application for it to work to be downloaded (this answer the question you did on second paragrapth). Maybe the users are not allowed to have the VMRC application but maybe this is something you would like to review.

MatthewFB
Enthusiast
Enthusiast
‎02-18-2021 07:46 AM
Jump to solution

Thank you for the reply, if the Remote Conole app has to be installed, that is at least a possible option.

Would be nice if they could allow the browers to tie into doing this, as we use YubiKey across several sites, like vCenter