Chat now with support
Chat with Support

Safeguard Authentication Services 5.0.2 - Authentication Services for Smart Cards Administration Guide

Privileged Access Suite for Unix Introducing Safeguard Authentication Services for Smart Cards Installing Safeguard Authentication Services for Smart Cards Configuring Safeguard Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs Locking the screen saver upon card removal (macOS)
Testing Safeguard Authentication Services for Smart Cards Troubleshooting

vastool ERROR: smart card is not present in slot

You encounter this error when the card reader is not correctly installed.

For more information, see Check the smart card reader.

vastool WARNING: "Smart card user X is not unix enabled" issue

Symptom:

A warning displays, similar to the following:

WARNING: Smartcard user "vas-user@altsuffix.vas" is not unix enabled.
You will not be able to log in with this card using VAS.
Diagnosis:

You will get a warning message that says, "Smartcard user is not unix enabled." because Safeguard Authentication Services cannot find that user in its cache. Safeguard Authentication Services 4.x is different from previous versions in that it interprets names in user principal name format as the Active Directory Kerberos principal name, which is actually <sAMAccountName>@<KerberosRealm>. If you have configured your smart cards with the user principal name from Active Directory, but the suffix of the user principal name on your smart card does not match the name of the Kerberos realm for your Active Directory domain, then you are using an alternative user principal name suffix. In other words, your Active Directory domain is COMPANY.COM, but the user principal on your smart card is vas-user@ALTSUFFIX.VAS.

Solution:

Configure vas.conf to use user principal name as the logon attribute. This can be done by any of the following methods:

  1. Safeguard Authentication Services Configuration Group Policy Setting:
    1. Open QAS Configuration in the Group Policy editor.
    2. Type username-attr-name in the search field and click the Search button.
    3. Set the value to userPrincipalName.
    4. Click OK to close the dialog.
    5. Apply Group Policy on the Safeguard Authentication Services client by running the vgptool apply command.
  2. Manually edit the vas.conf.
    1. Open the vas.conf file on the Safeguard Authentication Services client.
    2. In the [vasd] section, set "username-attr-name = userPrincipalName".
    3. Save the vas.conf file.
    4. Run the vastool flush command to repopulate user information.
  3. Edit the vas.conf with vastool.
    1. Run the following command:

      vastool configure vas vasd username-attr-name userPrincipalName

    2. Run the vastool flush command to repopulate user information.

Troubleshooting PAM or "vastool smartcard test login" errors

The following sections describe symptoms and possible causes that you might encounter when trying to log in with the pam_vas_smartcard module or using the vastool smartcard test login command.

Note: Not all PAM applications display the error messages described in this section. You may need to enable debug, or use vastool smartcard test login to display these messages. For more information, see Enable debugging for smart card login with PAM.

Related Topics

Login fails when the network connectivity is down

Login fails when the system's internal clock is not synchronized

Login fails when the user account is disabled

Login fails when the user's certificate is not authorized

Troubleshooting "KDC has no support for padata type" issue

Troubleshooting "Cannot contact any KDC for requested realm" issue

Login fails when the network connectivity is down

You encounter a login failure with a "KDC is unreachable" or "KRB5_KDC_UNREACH" error message when the network connectivity between the client and Active Directory is down, or there is a configuration problem.

Enabling debug or using vastool smartcard test login with -d 6 help you determine if this is a connectivity or DNS issue.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating