WilliamLam.com

Passwordless login to vCenter Server or VMware Cloud Foundation (VCF) using Apple Face ID or Yubico YubiKey

by // Leave a Comment

After spending some time playing with a couple of self-hosted Identity Providers solutions like Authentik and Keycloak for use with vCenter Server Identity Federation, I was curious about their Multi-Factor Authentication (MFA) support. Specifically, I was interested in their WebAuthn capabilities, which should allow me to use the popular Yubico YubiKey for passwordless authentication into my VMware environment. 😊


It is also important to mention, today vCenter Server Identity Federation officially supports the following IdPs listed below, all of which have support for the YubiKey (linked below is the official Yubico documentation for each IdP from Yubico's website):

If you are already consuming one of these IdPs, you already have the ability to to use a YubiKey or other supported WebAuthn device for passwordless login! For VMware Cloud Foundation (VCF) customers, Identity Federation is also supported with the same IdPs as it relies on the VCF Management Domain vCenter Server, so this would allow you to login to SDDC Manager using YubiKey as an example.

I have never used a YubiKey before, so this was going to be a new adventure for me as well as playing with the WebAuthn protocol which is also new for me. I really like the UX of Authentik, which provides a seamless experience and with built-in support for SCIM, the choice was easy for the IdP I would choose for this experiment.

[Read more...]

Quick Tip - Block or remove download URL for VMware Enhanced Authentication Plug-in (EAP)

by // 19 Comments

There was a new VMware Security Advisory (VMSA-2024-0003) that was published this week that affects the deprecated VMware Enhanced Authentication Plug-in (EAP) and as part of the remediation, per VMware KB 96442, there are instructions on how to uninstall the EAP plugin from desktop systems that had it installed.

I also noticed there were also questions from the community about disabling the EAP download itself, which is available as a hyperlink from the vSphere UI login page as shown in the screenshot below.


Having spent some time exploring and customizing the vSphere UI login page back in 2015, I knew there were a few ways of either blocking and/or removing the download URL all together, so I figure I would put together the list of options depending on what users were comfortable with.

[Read more...]

Automating certificate-manager CLI operations in vCenter Server (VCSA)

by // 3 Comments

I recently had a customer inquiry where they were interested in automating the certificate replacement for vCenter Solution Users when using the /usr/lib/vmware-vmca/bin/certificate-manager CLI, which is found within the vCenter Server Appliance (VCSA).


Note: One important thing to understand is that with vSphere 7.0, the vCenter Solution User certificates have been deprecated and the ability to replace the internal certificates will be removed in a future release as mentioned in the referenced vSphere blog post.

VMware does not recommend replacing the internal vCenter Solution User certificates, but for users who may have an organization requirement to do so, the operation is performed interactively using the certificate-manager CLI as mentioned earlier.

By design, the certificate-manager is meant to be consumed interactively and any non-interactive or automated use cases is not possible ...

[Read more...]