Two-factor authentication is a simple but important first step to ensure someone with bad intentions who manages to obtain credentials can't log into vCenter.
Two-factor authentication (2FA) revolves around the concept of something you know -- such as a username and password -- and something you have -- such as a token. Think time-sensitive rotating codes, similar to Google Authenticator, but designed for use in an enterprise setting.
Learn to set up vCenter two-factor authentication and how to configure it in VMware with features available in vSphere 6 Update 2 and above. Using a newer version ensures fewer bugs.
Currently, VMware only approves two 2FA vendors, including RSA -- of RSA hard token fame -- and standard smart cards.
Before jumping in, you should know the caveats of implementation. RSA 2FA doesn't currently work directly on ESXi hosts when done via Secure Shell logins, third-party tools or the legacy thick client. It does work with the new HTML-powered vSphere web client, as well as vCenter, assuming the ESXi host itself has Active Directory (AD) enabled, as per VMware standards.
Bear in mind that once you set up vCenter two-factor authentication, you must do all the work in the web client, so you should ensure all the web-based components work before proceeding.
AD and 2FA
Before you set up two-factor authentication, ensure that AD is integrated and enabled in vCenter. Also, make sure the AD logins work as expected before doing anything else.
As environments grow ever larger, AD can encounter trouble working on hosts, so remember to check everything to make sure it works as expected. Most environments are already configured with AD, but it's important to know that AD is a requirement for using RSA in the infrastructure.
AD connects the VMware infrastructure, the tokens and the RSA components. Remember to test AD and verify that it is working properly before putting the implementation anywhere near the production VMware environment.
In addition, double-check for problems or errors in the environment at large before you set up two-factor authentication. Make sure to also test the 2FA in a clean, nonproduction environment with a backup.
After verifying AD, you must install the RSA single sign-on (SSO) identity source.
Before turning on the service, ensure all the key components can successfully resolve and connect to each other as expected -- i.e., make sure the domain name system resolves correctly with no connectivity issues between the components that make up the infrastructure. Note that multibyte characters are not supported by RSA.
You can turn the configuration on or off and modify the setup by using the sso-config command directly on the SSO appliance. Once up and running, you can turn off other, non-2FA authentication systems.
It's relatively easy to set up vCenter two-factor authentication, especially with a validated service installed. For those looking to ratchet up their security, this can be an easy win. Still, you should become familiar with the commands -- particularly how to turn 2FA off -- in case things don't work as planned.