Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs
Testing Authentication Services for Smart Cards Troubleshooting

Login fails when the user account is disabled

You encounter a login failure with a message that says, "The authentication server policy does not allow you to log in at this time.", "KRB5KDC_ERR_POLICY"or "KRB5KDC_ERR_CLIENT_REVOKED" when a user's account has been restricted, locked out or expired. This message is also displayed when a user, whose account is marked "Smart card required for login", attempts to log in with a password.

Check the user's account settings in Active Directory. (See Check login for more information.)

Login fails when the user's certificate is not authorized

You encounter a login failure with a message that says, "Your certificate cannot be verified by the authentication server" or "KRB5_KDC_ERROR_CANT_VERIFY_CERTIFICATE" when either Authentication Services for Smart Cards was unable to automatically bootstrap the trusted certificates; or, the CA certificate that was used to issue that certificate is not in NtAuthCertificatescontainer in Active Directory. Generally, this error occurs either when Active Directory is verifying the user's certificate, or when Authentication Services for Smart Cards is verifying the KDC certificate returned by Active Directory.

Refer to the Bootstrapping trusted certificates section of this guide for more information.

Troubleshooting "KDC has no support for padata type" issue

Symptom:

An error displays, similar to the following:

KRB5KDC_ERR_PADATA_TYPE_NOSUPP (-1765328368): KDC has no support for padata type
Diagnosis:

This error occurs if the domain controller does not have a Domain Controller Authentication Certificate.

Solution:
  1. From the Certificates console open the Certificate Request wizard.
  2. Select Domain Controller Authentication.
  3. Click Enroll.

Troubleshooting "Cannot contact any KDC for requested realm" issue

Symptom:

An error displays, similar to the following:

ERROR: VAS_ERR_KRB5: Failed to obtain credentials. Client: vas-user@ALTSUFFIX.VAS,
Service: krbtgt/ALTSUFFIX.VAS@ALTSUFFIX.VAS, Server: (null)
   Caused by:
   KRB5_KDC_UNREACH (-1765328228): Cannot contact any KDC for requested realm
Reason: unable to reach any KDC in realm ALTSUFFIX.VAS
Diagnosis:

You will get an error message that says, "Cannot contact any KDC for requested realm" because Authentication Services cannot obtain a Kerberos ticket for the user principal name encoded on the smart card.

This will occur when Authentication Services is unable to communicate with a domain controller. Run the vastoolinfoservers command and try to ping your domain controllers to ensure that your network is properly configured and Authentication Services has found a domain controller to use for communication with Active Directory.

If the problem persists, you may have a problem with your user principal name suffix. This occurs when the suffix of the user principal name on your smart card does not match the name of the Kerberos realm for your Active Directory domain. In other words, your Active Directory domain is COMPANY.COM, but the user principal on your smart card is vas-user@ALTSUFFIX.VAS. This means you are using an alternative user principal name suffix.

Solution:

Configure vas.conf to use user principal name as the logon attribute. This can be done by any of the following methods:

  1. Authentication Services Configuration Group Policy Setting:
    1. Open QAS Configuration in the Group Policy editor
    2. Type "username-attr-name" in the search field and click the Search button
    3. Set the value to "userPrincipalName"
    4. Click OK to close the dialog
    5. Apply Group Policy on the Authentication Services client by running the vgptoolapply command
  2. Manually edit the vas.conf
    1. Open the vas.conf file on the Authentication Services client
    2. In the "[vasd]" section, set "username-attr-name = userPrincipalName"
    3. Save the vas.conf file
    4. Run the vastoolflush command to repopulate user information
  3. Edit the vas.conf with vastool
    1. Run the following command: vastoolconfigurevasvasdusername-attr-nameuserPrincipalName
    2. Run the vastoolflush command to repopulate user information
Related Documents