ESXi

 View Only
  • 1.  DCUI Smart Card authentication not working

    Posted Apr 29, 2017 09:45 AM

    I am trying to setup smart card authentication for ESXi 6.5 DCUI access. I have Windows PKI infrastructure set up and smart card provisioned, I can use smart card to login to Windows desktop and RDP sessions. ESXi host is joined to AD, smart card authentication is enabled and Windows CA Root Certificate is imported into ESXi host smart card settings. However, DCUI login has not changed a bit, it does not require smart card, I can login using plain AD account just as before.

    My smart card reader is Gemalto IDBridge CT40 and it is locally connected to ESXi host. Smart Card is Gemalto IDPrime 840.

    Has anyone got this working?

    update. I got smart card authentication working for SSO so I can login to vSphere Web Client using card and pin. Now I just need to get this working for ESXi host as well.



  • 2.  RE: DCUI Smart Card authentication not working

    Posted May 02, 2017 04:18 PM

    Lockdown mode is enabled in your hosts? See: Using Smart Card Authentication in Lockdown Mode



  • 3.  RE: DCUI Smart Card authentication not working

    Posted May 03, 2017 04:37 AM

    No, it is not.



  • 4.  RE: DCUI Smart Card authentication not working

    Posted May 11, 2017 11:44 PM

    I guess the reason you couldn't use your smart card to log in to dcui is because there's no middle-ware installed on ESXi for your smart card. As far as I know, it only works for DoD and Java card.

    --Lance



  • 5.  RE: DCUI Smart Card authentication not working

    Posted May 12, 2017 10:38 PM

    Sorry, not JAVA card. Only SafeNet and DoD are supported



  • 6.  RE: DCUI Smart Card authentication not working

    Posted May 14, 2017 03:28 PM

    My issue is not about card type (yet) as it seems that ESXi does not support my smart card reader.

    I had to disable native USB driver to make ESXi see USB devices at all.

    # esxcli system module set -m=vmkusb -e=FALSE

    After this USB reader was detected by VMkernel but pcscd does not claim my reader, USB device remains available for pass through.

    2017-05-14T10:29:37.746Z cpu2:65945)<6>usb 2-2: new full speed USB device number 7 using xhci_hcd

    2017-05-14T10:29:37.895Z cpu2:65945)<6>usb 2-2: New USB device found, idVendor=08e6, idProduct=3437

    2017-05-14T10:29:37.895Z cpu2:65945)<6>usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3

    2017-05-14T10:29:37.895Z cpu2:65945)<6>usb 2-2: Product: USB SmartCard Reader

    2017-05-14T10:29:37.895Z cpu2:65945)<6>usb 2-2: Manufacturer: Gemalto

    2017-05-14T10:29:37.895Z cpu2:65945)<6>usb 2-2: SerialNumber: 67EF18E2

    2017-05-14T10:29:37.896Z cpu2:65945)<6>usb 2-2: usbfs: registered usb0207

    2017-05-14T10:29:38.900Z cpu1:67166)<6>usb 2-2: device is available for passthrough

    Running pcscd on foreground with "pcscd -f -d -a" does not result any log messages when reader or card is connected.  Card reader product id 3437 is listed in /lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist. However pcscd seems to be very old, 1.8.5 which is from 2012, so it might have some issues.

    I also tested this on CentOS Linux 7.3 which has pcscd 1.8.8 and on that pcscd recognizes my reader and card.



  • 7.  RE: DCUI Smart Card authentication not working

    Posted May 15, 2017 06:06 PM

    Thanks for reporting the issue.

    I've tried both SC650 and Omnikey readers but did not see any issues. We've ordered a Gemalto card reader for testing. If it does not work with the version of pcsclite in ESXi, I will update it.

    Thanks,

    Lance