The vCenter Server must disable Password and Windows integrated authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-243116	VCTR-67-000061	SV-243116r719591_rule		Medium

Description
All forms of authentication other than CAC must be disabled. Password authentication can be temporarily re-enabled for emergency access to the local SSO domain accounts but it must be disable as soon as CAC authentication is functional.

STIG	Date
VMware vSphere 6.7 vCenter Security Technical Implementation Guide	2022-09-09

Details

Check Text ( C-46391r719589_chk )
Note: For vCenter Server Windows, this is not applicable. From the vSphere Client go to Administration >> Single Sign-On >> Configuration >> Smart Card Authentication. If "Smart card authentication" is not enabled and "Password and windows session authentication" is not disabled, this is a finding.

Fix Text (F-46348r719590_fix)
From the vSphere Client go to Administration >> Single Sign-On >> Configuration >> Smart Card Authentication. Next to "Authentication methods", click "Edit". Click the "Enable smart card authentication" radio button and click "Save". To re-enable password authentication for troubleshooting purposes, run the following command on the vCenter server: /opt/vmware/bin/sso-config.sh -set_authn_policy -pwdAuthn true -winAuthn false -certAuthn false -securIDAuthn false -t vsphere.local

Fix Text (F-46348r719590_fix)

From the vSphere Client go to Administration >> Single Sign-On >> Configuration >> Smart Card Authentication. Next to "Authentication methods", click "Edit". Click the "Enable smart card authentication" radio button and click "Save".

To re-enable password authentication for troubleshooting purposes, run the following command on the vCenter server:

/opt/vmware/bin/sso-config.sh -set_authn_policy -pwdAuthn true -winAuthn false -certAuthn false -securIDAuthn false -t vsphere.local