UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vCenter Server must disable Password and Windows integrated authentication.


Overview

Finding ID Version Rule ID IA Controls Severity
V-243133 VCTR-67-000078 SV-243133r719642_rule Medium
Description
All forms of authentication other than CAC must be disabled. Password authentication can be temporarily reenabled for emergency access to the local SSO domain accounts, but it must be disabled as soon as CAC authentication is functional.
STIG Date
VMware vSphere 6.7 vCenter Security Technical Implementation Guide 2021-04-16

Details

Check Text ( C-46408r719640_chk )
Note: For vCenter Server Appliance, this is not applicable.

From the vSphere Client, go to Administration >> Single Sign-On >> Configuration >> Smart Card Authentication.

If "Smart card authentication" is not enabled and "Password and windows session authentication" is not disabled, this is a finding.
Fix Text (F-46365r719641_fix)
From the vSphere Client, go to Administration >> Single Sign-On >> Configuration >> Smart Card Authentication.

Next to "Authentication methods", click "Edit".

Click the "Enable smart card authentication" radio button and click "Save".

To reenable password authentication for troubleshooting purposes, run the following command on the vCenter server:

C:\Program Files\VMware\VCenter server\VMware Identity Services\sso-config.bat -set_authn_policy -pwdAuthn true -winAuthn false -certAuthn false -securIDAuthn false -t vsphere.local