UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vCenter Server for Windows must disable Password and Windows integrated authentication.


Overview

Finding ID Version Rule ID IA Controls Severity
V-216880 VCWN-65-000061 SV-216880r612237_rule Low
Description
All forms of authentication other than CAC must be disabled. Password authentication can be temporarily re-enabled for emergency access to the local SSO domain accounts but it must be disable as soon as CAC authentication is functional.
STIG Date
VMW vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide 2020-12-10

Details

Check Text ( C-18111r366354_chk )
1. Login to the Platform Services Controller web interface with administrator@vsphere.local from

https:///psc

In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address.

If you specified a different SSO domain during installation, log in as administrator@.

2. Browse to Single Sign-On >> Configuration.

3. Click the "Smart Card Configuration" tab, click the "Edit" button next to “Authentication Configuration”.

If the selection box next to “Password and Windows session authentication” is checked, this is a finding.
Fix Text (F-18109r366355_fix)
1. Login to the Platform Services Controller web interface with administrator@vsphere.local from

https:///psc

In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address.

If you specified a different SSO domain during installation, log in as administrator@.

2. Browse to Single Sign-On >> Configuration.

3. Click the "Smart Card Configuration" tab, click the "Edit" button next to “Authentication Configuration”.

4. Check the box next to “Password and Windows session authentication”. Click "OK".

To re-enable password authentication for troubleshooting run the following command from the PSC:

/opt/vmware/bin/sso-config.sh -set_authn_policy -pwdAuthn true -winAuthn false -certAuthn false -securIDAuthn false -t vsphere.local