Search the VMware Knowledge Base (KB)
View by Article ID

Unable to login to vSphere Web Client using CAC authentication after enabling OCSP (2148938)

  • 0 Ratings


After configuring and enabling OCSP,  logging into the vSphere Web Client using CAC card authentication fails with an error similar to the following:
"Unable to validate the submitted credential"


To set alternate OCSP responder certificate with the option supported in 6.0 Update 3,  -set_authn_policy -t vsphere.local -ocspUrl http://<CA-FQDN>/ocsp -ocspCert <path_to_ocsp_signing_ca_cert>.cer

In Windows, 

  1. Access the directory
  2. cd <C:\Program Files\Vmware\vCenter Server\Vmware Identity Services\>  
  3. Run the command
  4. sso-config.bat  

In Linux, 

  1. Access the directory
  2. cd /opt/vmware/bin 
  3. Run the command

For example,  -set_authn_policy -t vsphere.local -ocspUrl -ocspCert ca_pslab1_com.cer

 Check authentication policy to  see if the OCSP URL and certificates are properly set. -get_authn_policy -t  vsphere.local
  IsPasswordAuthEnabled:   true
  IsWindowsAuthEnabled:   true
  IsTLSClientCertAuthnEnabled:   true
  IsSecurIDAuthnEnabled:   false
  revocationCheckEnabled:   true
  useOCSP:   true
  sendOCSPNonce:   false
useCRLAsFailOver:   true
OCSPResponderSigningCert:   CN=pslab1-CA, DC=pslab1, DC=com

useCertCRL:   true
  CRL CacheSize:   512
  CRLUrl:   UndefinedConfig
  trustedCA:   CN=pslab1-CA, DC=pslab1, DC=com
  trustedCA:   CN=pslab2-PSCHILD1-CA, DC=pslab2, DC=pslab1,  DC=com

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.


  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)

Please enter the Captcha code before clicking Submit.
  • 0 Ratings