The vCenter Server for Windows must disable Password and Windows integrated authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-94825	VCWN-65-000061	SV-104655r1_rule		Low

Description
All forms of authentication other than CAC must be disabled. Password authentication can be temporarily re-enabled for emergency access to the local SSO domain accounts but it must be disable as soon as CAC authentication is functional.

STIG	Date
VMware vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide	2019-05-22

Details

Check Text ( C-94021r1_chk )
1. Login to the Platform Services Controller web interface with administrator@vsphere.local from https:///psc In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. If you specified a different SSO domain during installation, log in as administrator@. 2. Browse to Single Sign-On >> Configuration. 3. Click the "Smart Card Configuration" tab, click the "Edit" button next to “Authentication Configuration”. If the selection box next to “Password and Windows session authentication” is checked, this is a finding.

Check Text ( C-94021r1_chk )

1. Login to the Platform Services Controller web interface with administrator@vsphere.local from

https:///psc

In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address.

If you specified a different SSO domain during installation, log in as administrator@.

2. Browse to Single Sign-On >> Configuration.

3. Click the "Smart Card Configuration" tab, click the "Edit" button next to “Authentication Configuration”.

If the selection box next to “Password and Windows session authentication” is checked, this is a finding.

Fix Text (F-100949r1_fix)
1. Login to the Platform Services Controller web interface with administrator@vsphere.local from https:///psc In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. If you specified a different SSO domain during installation, log in as administrator@. 2. Browse to Single Sign-On >> Configuration. 3. Click the "Smart Card Configuration" tab, click the "Edit" button next to “Authentication Configuration”. 4. Check the box next to “Password and Windows session authentication”. Click "OK". To re-enable password authentication for troubleshooting run the following command from the PSC: /opt/vmware/bin/sso-config.sh -set_authn_policy -pwdAuthn true -winAuthn false -certAuthn false -securIDAuthn false -t vsphere.local

Fix Text (F-100949r1_fix)

1. Login to the Platform Services Controller web interface with administrator@vsphere.local from

https:///psc

In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address.

If you specified a different SSO domain during installation, log in as administrator@.

2. Browse to Single Sign-On >> Configuration.

3. Click the "Smart Card Configuration" tab, click the "Edit" button next to “Authentication Configuration”.

4. Check the box next to “Password and Windows session authentication”. Click "OK".

To re-enable password authentication for troubleshooting run the following command from the PSC:

/opt/vmware/bin/sso-config.sh -set_authn_policy -pwdAuthn true -winAuthn false -certAuthn false -securIDAuthn false -t vsphere.local