You encounter a login failure with a message that says, "The authentication server policy does not allow you to log in at this time.", "KRB5KDC_ERR_POLICY"or "KRB5KDC_ERR_CLIENT_REVOKED" when a user's account has been restricted, locked out or expired. This message is also displayed when a user, whose account is marked "Smart card required for login", attempts to log in with a password.
Check the user's account settings in Active Directory. (See Check login for more information.)
You encounter a login failure with a message that says, "Your certificate cannot be verified by the authentication server" or "KRB5_KDC_ERROR_CANT_VERIFY_CERTIFICATE" when either Authentication Services for Smart Cards was unable to automatically bootstrap the trusted certificates; or, the CA certificate that was used to issue that certificate is not in NtAuthCertificatescontainer in Active Directory. Generally, this error occurs either when Active Directory is verifying the user's certificate, or when Authentication Services for Smart Cards is verifying the KDC certificate returned by Active Directory.
Refer to the Bootstrapping trusted certificates section of this guide for more information.
An error displays, similar to the following:
KRB5KDC_ERR_PADATA_TYPE_NOSUPP (-1765328368): KDC has no support for padata type
This error occurs if the domain controller does not have a Domain Controller Authentication Certificate.
An error displays, similar to the following:
ERROR: VAS_ERR_KRB5: Failed to obtain credentials. Client: vas-user@ALTSUFFIX.VAS, Service: krbtgt/ALTSUFFIX.VAS@ALTSUFFIX.VAS, Server: (null) Caused by: KRB5_KDC_UNREACH (-1765328228): Cannot contact any KDC for requested realm Reason: unable to reach any KDC in realm ALTSUFFIX.VAS
You will get an error message that says, "Cannot contact any KDC for requested realm" because Authentication Services cannot obtain a Kerberos ticket for the user principal name encoded on the smart card.
This will occur when Authentication Services is unable to communicate with a domain controller. Run the vastoolinfoservers command and try to ping your domain controllers to ensure that your network is properly configured and Authentication Services has found a domain controller to use for communication with Active Directory.
If the problem persists, you may have a problem with your user principal name suffix. This occurs when the suffix of the user principal name on your smart card does not match the name of the Kerberos realm for your Active Directory domain. In other words, your Active Directory domain is COMPANY.COM, but the user principal on your smart card is vas-user@ALTSUFFIX.VAS. This means you are using an alternative user principal name suffix.
Configure vas.conf to use user principal name as the logon attribute. This can be done by any of the following methods:
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy