With the --passthroughauth option, which is available if you run vCLI commands from a Microsoft Windows system, you can use the Microsoft Windows Security Support Provider Interface (SSPI).

You can refer to the Microsoft Web site for detailed information on SSPI.

You can use --passthroughauth to establish a connection with a vCenter Server system. After the connection has been established, authentication for the vCenter Server system or any ESXi system that it manages is no longer required. Using --passthroughauth passes the credentials of the user who runs the command to the target vCenter Server system. No additional authentication is required if the user who runs the command is known by the computer from which you access the vCenter Server system and by the computer running the vCenter Server software.

If vCLI commands and the vCenter Server software run on the same computer, the user needs only a local account to run the command. If the vCLI command and the vCenter Server software run on different machines, the user who runs the command must have an account in a domain trusted by both machines.

SSPI supports several protocols. By default, it selects the Negotiate protocol, where client and server try to find a protocol that both support. You can use --passthroughauthpackage to explicitly specify a protocol that is supported by SSPI. Kerberos, the Windows standard for domain-level authentication, is used frequently. If the vCenter Server system is configured to accept only a specific protocol, specifying the protocol with --passthroughauthpackage might be required for successful authentication. If you use --passthroughauth, you do not have to specify authentication information by using other options.

esxcli --server <vc_HOSTNAME_OR_IP> --passthroughauth --passthroughauthpackage "Kerberos"
--vihost <esxi_HOSTNAME_OR_IP> network ip interface list
vicfg-mpath.pl --server <vc_HOSTNAME_OR_IP> --passthroughauth --passthroughauthpackage "Kerberos" --vihost <esxi_HOSTNAME_OR_IP> --list

This example establishes a connection to a server that is set up to use SSPI. When a trusted user runs the command, the system calls the ESXCLI command or vicfg-mpath with the --list option. The system does not prompt for a user name and password.