The vCenter Server must disable accounts used for Integrated Windows Authentication (IWA).
| Description |
|---|
| If not used for their intended purpose, default accounts must be disabled. vCenter ships with several default accounts, two of which are specific to IWA and SASL/Kerberos authentication. If other methods of authentication are used, these accounts are not needed and must be disabled. |
| ℹ️ Check |
|---|
| If IWA is used for vCenter authentication, this is not applicable. From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Users. Change the domain to "vsphere.local" and review the "K/M" and "krbtgt/VSPHERE.LOCAL" accounts. If the "K/M" and "krbtgt/VSPHERE.LOCAL" accounts are not disabled, this is a finding. |
| ✔️ Fix |
|---|
| From the vSphere Client, go to Administration >> Single Sign On >> Users and Groups >> Users. Select the "K/M" or "krbtgt/VSPHERE.LOCAL" and click "More" then select "Disable". Click "Ok" to disable the user account. |