SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
Occasional Contributor
Occasional Contributor

RSA SecurID Authentication Manager Integration with Vmware VCenter


I would like to share the procedure to do integration with Vmware VCenter using RSA AM, there is no official guide published in RSA ready technologies to do integration.

the virtual Lab simulate the integration by using the below components:

  • RSA AM Vm version 8.5
  • RSA SW token
  • Vsphere ESX version 6.7 latest update
  • VCenter version 6.7 latest update including embedded platform service controller (PSC)

Note: External Platform Service Controller in version 7.0 will not be supported by Vmware, if you have External Platform Service Controller you can follow the same procedure.

  • Microsoft AD as main identity source for RSA AM and VCenter

Configuration procedure:

  • Configure RSA Authentication Manager.
  • Integrate Microsoft AD as main identity source in AM.

Note: Remember that AD maps to user attribute (sAMAccountName), this attribute required to configure RSA in VCenter side.

  • Assign required token for AD user
  • Setup Vsphere ESX
  • Setup VCenter, remember what is your SSO setup default domain (usually its configured with vsphere.local)
  • Integrate Microsoft AD as identity source for SSO, ensure that identity source selected as (Active Directory over LDAP). Don’t use ( Active Directory Integrated Windows Authentication), this will need to use userPrincipalName attribute to map users in AD side.
  • Create agent record in RSA for VCenter PSC ( Embedded PSC using the same name of VCenter Hostname), keep agent type as standard (agent name created in our lab is
  • Download RSA Configuration File (sdconf.rec), you need to upload this file in VCenter PSC
  • Transfer sdconf.rec to VCenter using WinSCP tool, keep file under directory (/root/sdconf.rec)
  • Access VCenter PSC through SSH using any tool such as Putty
  • Issue the below commands to setup RSA in VCenter PSC

1.Change directory to ( cd /opt/vmware/bin )

2.Enable the SecurID Authentication Policy

./ -t vsphere.local -set_authn_policy -securIDAuthn true

3.Configure the agent software in SSO with the sdconf.rec file

./ -set_rsa_site -t vsphere.local -agentName -sdConfFile /root/sdconf.rec

4.Define AD user attribute as sAMAccountName

./ -set_rsa_userid_attr_map -t vsphere.local -idsName -ldapAttr sAMAccountName

5.Confirm all the settings by dumping the RSA Configuration of SSO

./ -t vsphere.local -get_rsa_config


Optional: To disable logons via username and passwords, smartcard and windows integrated session  enter the following command. Only logon through RSA SecurID is possible. -set_authn_policy -pwdAuthn false -winAuthn false -certAuthn false -t vsphere.local


Now, it is time to login to VSphere Web Client via Multi-Factor Authentication, we can see that logon page shows additional checkbox called ‘Use RSA SecurID’, and password field changes to ‘Passcode’



Labels (2)
7 Replies
Trusted Contributor
Trusted Contributor

Awesome... I wonder how we would integrate it directly to RSA SecurID Access SSO portal 😄 if thats even possible.

Occasional Contributor
Occasional Contributor

Hi Luka;

VMware VCenter dont support integration with RSA SSO portal, there is limitation from VMware side. if you are looking to use new modern authetnication such as push notification to access VMware VCenter, you can do a hybrid integration between RSA AM and IDR.



Trusted Contributor
Trusted Contributor

yeah another reason why I still run AM 😄 for legacy stuff like this.

New Contributor
New Contributor

Is there any way to force AD account to use the RSA token but allow vsphere.local accounts to just use their password?  I like having the ability to log in "locally" in an emergency.

New Contributor
New Contributor

Do you know of a way to enforce RSA and LDAP password?  It's not MFA when I just shift from using one type of authentication to another.

Also, Is there any way to change the RSA logon message?  We don't use the Windows soft token and I can see it being confusing for users with the phone app.


As I see it, assuming you're using a PIN and a tokencode, shifting from LDAP to RSA is MFA.  The PIN is something you know, analogous to the password in AD, and the tokencode is something you have.  Thus, two factors, or multifactor.  


New Contributor
New Contributor

Hello Mohammad,

Do you know if it is possible to run this commnad -set_authn_policy -pwdAuthn false -winAuthn false -certAuthn false -t vsphere.local

but still be able to use password authentication just on service accounts like local system accounts?

I just want to disable password for users on a domain, but not the local system