Get Live Help
A warning displays, similar to the following:
WARNING: Smartcard user "firstname.lastname@example.org" is not unix enabled. You will not be able to log in with this card using VAS.
You will get a warning message that says, "Smartcard user is not unix enabled." because Authentication Services cannot find that user in its cache. Authentication Services 4.x is different from previous versions in that it interprets names in user principal name format as the Active Directory Kerberos principal name, which is actually <sAMAccountName>@<KerberosRealm>. If you have configured your smart cards with the user principal name from Active Directory, but the suffix of the user principal name on your smart card does not match the name of the Kerberos realm for your Active Directory domain, then you are using an alternative user principal name suffix. In other words, your Active Directory domain is COMPANY.COM, but the user principal on your smart card is vas-user@ALTSUFFIX.VAS.
Configure vas.conf to use user principal name as the logon attribute. This can be done by any of the following methods:
The following sections describe symptoms and possible causes that you might encounter when trying to log in with the pam_vas_smartcard module or using the vastool smartcard test login command.
Note: Not all PAM applications displays the error messages described in this section. You may need to enable debug, and/or use vastool smartcard test login to display these messages. (See Enable debug for smart card login with PAM for more information.)
Login fails when the network connectivity is down
Login fails when the system's internal clock is not synchronized
Login fails when the user account is disabled
Login fails when the user's certificate is not authorized
Troubleshooting "KDC has no support for padata type" issue
Troubleshooting "Cannot contact any KDC for requested realm" issue
You encounter a login failure with a "KDC is unreachable" or "KRB5_KDC_UNREACH" error message when the network connectivity between the client and Active Directory is down, or there is a configuration problem.
Enabling debug or using vastool smartcard test login with -d 6 help you determine if this is a connectivity or DNS issue.
You encounter a login failure with a message that says, "Your system's internal clock is not synchronized with your authentication server" or "KRB5KRB_AP_ERR_SKEW" when your system clock needs to be synchronized with Active Directory.
To synchronize your system clock with Active Directory
For more information, see also the "Time Synchronization Problems" section in the Authentication Services Administration Guide, located in the docs directory of the installation media.