You encounter this error when the card reader is not correctly installed.
For more information, see For more information, see Checking the smart card reader..
You encounter this error when the card reader is not correctly installed.
For more information, see For more information, see Checking the smart card reader..
A warning displays, similar to the following:
WARNING: Smartcard user "vas-user@altsuffix.vas" is not unix enabled. You will not be able to log in with this card using VAS.
You will get a warning message that says, Smartcard user is not unix enabled because Safeguard Authentication Services cannot find that user in its cache. Safeguard Authentication Services 4.x is different from previous versions in that it interprets names in user principal name format as the Active Directory Kerberos principal name, which is actually <sAMAccountName>@<KerberosRealm>. If you have configured your smart cards with the user principal name from Active Directory, but the suffix of the user principal name on your smart card does not match the name of the Kerberos realm for your Active Directory domain, then you are using an alternative user principal name suffix. In other words, your Active Directory domain is COMPANY.COM, but the user principal on your smart card is vas-user@ALTSUFFIX.VAS.
Configure vas.conf to use user principal name as the logon attribute. This can be done by any of the following methods:
Safeguard Authentication Services Configuration Group Policy Setting:
Open QAS Configuration in the Group Policy editor.
Type username-attr-name in the search field and click Search.
Set the value to userPrincipalName.
Click OK to close the dialog.
Apply Group Policy on the Safeguard Authentication Services client by running the vgptool apply command.
Manually edit the vas.conf.
Open the vas.conf file on the Safeguard Authentication Services client.
In the [vasd] section, set "username-attr-name = userPrincipalName".
Save the vas.conf file.
Run the vastool flush command to repopulate user information.
Edit the vas.conf file with vastool.
Run the following command:
vastool configure vas vasd username-attr-name userPrincipalName
Run the vastool flush command to repopulate user information.
The following sections describe symptoms and possible causes that you might encounter when trying to log in with the pam_vas_smartcard module or using the vastool smartcard test login command.
Note: Not all PAM applications display the error messages described in this section. You may need to enable debug, or use vastool smartcard test login to display these messages. For more information, see Enabling debugging for smart card login with PAM.
Login fails when the network connectivity is down
Login fails when the system's internal clock is not synchronized
Login fails when the user account is disabled
Login fails when the user's certificate is not authorized
Troubleshooting "KDC has no support for padata type" issue
Troubleshooting "Cannot contact any KDC for requested realm" issue
You encounter a login failure with a KDC is unreachable or KRB5_KDC_UNREACH error message when the network connectivity between the client and Active Directory is down, or there is a configuration problem.
Enabling debug or using vastool smartcard test login with -d 6 help you determine if this is a connectivity or DNS issue.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center