1 person found this helpful
I don't have an answer to your question, but I wonder why you think that disabling passthrough authentication would increase security? In fact it would decrease security. When using passthrough authentication there is no need to send username and password over the network again, since it uses an already existing security token.
If you really want to increase security then you should think about enforcing Kerberos authentication on the vCenter server (this would help regardless of whether you use passthrough or not). There is an old KB article (http://kb.vmware.com/kb/1006611) about how to do this in vCenter 2.5, but I'm not sure if this still applies to newer vCenter server versions.
-The client does not want that option to be present as its audit policy wants it , so can't help that
-I would want to know if there is an option that we can tweak the registry settings or the domain policies so that the SSPI authentication used could be stopped.
I got around a workaround of this issue.
This was a requirement for a bank,as they required a manual login to all applications on the desktop for security.
However, we used an SSPI disable xml tag on the vpxd file, due to which once you try to login onto vcenter using the windows session credentials it will throw a generic error.
However, this is not officially supported by VMware ..
Can you illustrate how this can be done?