The following section describes symptoms and possible causes of log error messages when attempting to log in or perform other Authentication Services for Smart Cards functions.
Log shows "clock skew problems"
Log shows "server policy does not allow them on" or "account is expired"
Log shows "Failed authentication attempt: cannot verify certificate"
You will get a log error message that says, "clock skew problems" when you encounter a login failure because your system clock was out of sync with Active Directory.
To synchronize your system clock with Active Directory
Run the vastool timesync command.
For more information, see also the "Time Synchronization Problems" section in the Authentication Services Administration Guide, located in the docs directory of the installation media.
You will get log error messages that say, "server policy does not allow them on" or "account is expired" when a user's account has been restricted, locked out or expired; or when a user, whose account is marked "Smart card required for login", attempts to log in with a password.
Check the user's account settings in Active Directory. (See Check login for more information.)
You will get a log error message that says, "Failed authentication attempt: cannot verify certificate" when Active Directory is verifying the user's certificate, or when Authentication Services for Smart Cards is verifying the KDC certificate returned by Active Directory. The most likely causes are either that the CA certificate that was used to issue that certificate is not in the NtAuthCertificates container in Active Directory, or Authentication Services for Smart Cards was unable to automatically bootstrap the trusted certificates.
Check the user's account settings in Active Directory. (See Check login for more information.)
See also the Bootstrapping trusted certificates section of this guide.
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy