Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs
Testing Authentication Services for Smart Cards Troubleshooting

vastool WARNING: "Smart card user X is not unix enabled" Issue

Symptom:

A warning displays, similar to the following:

WARNING: Smartcard user "vas-user@altsuffix.vas" is not unix enabled.
You will not be able to log in with this card using VAS.
Diagnosis:

You will get a warning message that says, "Smartcard user is not unix enabled." because Authentication Services cannot find that user in its cache. Authentication Services 4.x is different from previous versions in that it interprets names in user principal name format as the Active Directory Kerberos principal name, which is actually <sAMAccountName>@<KerberosRealm>. If you have configured your smart cards with the user principal name from Active Directory, but the suffix of the user principal name on your smart card does not match the name of the Kerberos realm for your Active Directory domain, then you are using an alternative user principal name suffix. In other words, your Active Directory domain is COMPANY.COM, but the user principal on your smart card is vas-user@ALTSUFFIX.VAS.

Solution:

Configure vas.conf to use user principal name as the logon attribute. This can be done by any of the following methods:

  1. Authentication Services Configuration Group Policy Setting:
    1. Open QAS Configuration in the Group Policy editor
    2. Type "username-attr-name" in the search field and click the Search button
    3. Set the value to "userPrincipalName"
    4. Click OK to close the dialog
    5. Apply Group Policy on the Authentication Services client by running the vgptoolapply command
  2. Manually edit the vas.conf
    1. Open the vas.conf file on the Authentication Services client
    2. In the "[vasd]" section, set "username-attr-name = userPrincipalName"
    3. Save the vas.conf file
    4. Run the vastoolflush command to repopulate user information
  3. Edit the vas.conf with vastool
    1. Run the following command: vastoolconfigurevasvasdusername-attr-nameuserPrincipalName
    2. Run the vastoolflush command to repopulate user information

Troubleshooting PAM or "vastool smartcard test login" errors

The following sections describe symptoms and possible causes that you might encounter when trying to log in with the pam_vas_smartcard module or using the vastool smartcard test login command.

Note: Not all PAM applications displays the error messages described in this section. You may need to enable debug, and/or use vastool smartcard test login to display these messages. (See Enable debug for smart card login with PAM for more information.)

Related Topics

Login fails when the network connectivity is down

Login fails when the system's internal clock is not synchronized

Login fails when the user account is disabled

Login fails when the user's certificate is not authorized

Troubleshooting "KDC has no support for padata type" issue

Troubleshooting "Cannot contact any KDC for requested realm" issue

Login fails when the network connectivity is down

You encounter a login failure with a "KDC is unreachable" or "KRB5_KDC_UNREACH" error message when the network connectivity between the client and Active Directory is down, or there is a configuration problem.

Enabling debug or using vastool smartcard test login with -d 6 help you determine if this is a connectivity or DNS issue.

Login fails when the system's internal clock is not synchronized

You encounter a login failure with a message that says, "Your system's internal clock is not synchronized with your authentication server" or "KRB5KRB_AP_ERR_SKEW" when your system clock needs to be synchronized with Active Directory.

To synchronize your system clock with Active Directory

  1. Run the vastool timesync command.

For more information, see also the "Time Synchronization Problems" section in the Authentication Services Administration Guide, located in the docs directory of the installation media.

Related Documents