To test that a card has been initialized with an appropriate user
# vastool smartcard test user Testing user user@vas.example Testing certificate validity ... ok Testing if PIN is required ... ok Enter PIN for user@vas.example: xxxxxxxx Performing login to card ... ok Generating signature ... ok Verifying signature ... ok
This tests whether a valid user is on the card, and whether you are able to log into the card and use its cryptographic functions. If your card requires a PIN, enter the password at the prompt.
The vastool smartcard test card function generates output similar to the following:
CKM_RSA_X_509 CKM_MD2_RSA_PKCS CKM_MD5_RSA_PKCS CKM_SHA1_RSA_PKCS CKM_DES_KEY_GEN CKM_DES_ECB CKM_DES_CBC CKM_DES_CBC_PAD CKM_DES2_KEY_GEN CKM_DES3_KEY_GEN CKM_DES3_ECB CKM_DES3_CBC CKM_DES3_CBC_PAD CKM_MD2 CKM_MD5 CKM_SHA_1 Checking that CKM_RSA_PKCS mechanism is supported ... ok Checking info for CKM_RSA_PKCS mechanism ... ok Checking CKM_RSA_PKCS mechanism supports signing ... ok Checking CKM_RSA_PKCS mechanism supports decryption ... ok Testing that card contains a user ... ok
Note: This command requires that you are joined to a domain.
To test whether it is possible to log in using the inserted card
For example:
# vastool smartcard test login Testing user user@vas.example Testing certificate validity ... ok Testing if PIN is required ... ok Enter PIN for user@vas.example: Performing login to card ... ok Creating ID for client with UPN 'user@vas.example' ... ok Establish initial credentials using PKCS#11 ... ok
This command uses the inserted card to perform a log in to Active Directory. It displays a warning if the user is not Unix enabled, and displays an error if the log in fails. This command is useful when troubleshooting Safeguard Authentication Services for Smart Cards log in problems.
To help you troubleshoot your Safeguard Authentication Services for Smart Cards installation, One Identity recommends the following resolutions to some of the common problems you might encounter.
Enable debugging for smart card login with PAM
Enable debugging for the Safeguard Authentication Services daemon
Enable debugging for the PKCS#11 library
Troubleshooting vastool errors
vastool ERROR: no PKCS#11 library specified in vas.conf
vastool ERROR: Could not get symbol 'C_GetFunctionList'
vastool ERROR: invalid ELF header
vastool ERROR: cannot open shared object file
vastool ERROR: smart card is not present in slot
vastool WARNING: "Smart card user X is not unix enabled" issue
Troubleshooting PAM or "vastool smartcard test login" errors
Login fails when the network connectivity is down
Login fails when the system's internal clock is not synchronized
Login fails when the user account is disabled
Login fails when the user's certificate is not authorized
Troubleshooting "KDC has no support for padata type" issue
Troubleshooting "Cannot contact any KDC for requested realm" issue
Log shows "clock skew problems"
Log shows "server policy does not allow them on" or "account is expired"
Log shows "Failed authentication attempt: cannot verify certificate"
Safeguard Authentication Services for Smart Cards provides a number of tools and options to diagnose problems.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center