The vCenter Server must disable Username/Password and Windows Integrated Authentication.

An XCCDF Rule

Description

All forms of authentication other than Common Access Card (CAC) must be disabled. Password authentication can be temporarily reenabled for emergency access to the local Single Sign-On (SSO) accounts or Active Directory user/pass accounts, but it must be disabled as soon as CAC authentication is functional.

ID: SV-256363r885700_rule
Version: VCSA-70-000283
Severity: Low
References: CCI-000366
Updated: about 2 months ago

Remediation Templates

From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider >> Smart Card Authentication.

Next to "Authentication method", click "Edit".

Select the radio button to "Enable smart card authentication".
Click "Save".

To reenable password authentication for troubleshooting purposes, run the following command on the vCenter Server Appliance:

# /opt/vmware/bin/sso-config.sh -set_authn_policy -pwdAuthn true -winAuthn false -certAuthn false -securIDAuthn false -t vsphere.local

The vCenter Server must disable Username/Password and Windows Integrated Authentication.

Description

Remediation Templates

A Manual Procedure