Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs
Testing Authentication Services for Smart Cards Troubleshooting

Troubleshooting log errors

The following section describes symptoms and possible causes of log error messages when attempting to log in or perform other Authentication Services for Smart Cards functions.

Related Topics

Log shows "clock skew problems"

Log shows "server policy does not allow them on" or "account is expired"

Log shows "Failed authentication attempt: cannot verify certificate"

Log shows "clock skew problems"

You will get a log error message that says, "clock skew problems" when you encounter a login failure because your system clock was out of sync with Active Directory.

To synchronize your system clock with Active Directory

Run the vastool timesync command.

For more information, see also the "Time Synchronization Problems" section in the Authentication Services Administration Guide, located in the docs directory of the installation media.

Log shows "server policy does not allow them on" or "account is expired"

You will get log error messages that say, "server policy does not allow them on" or "account is expired" when a user's account has been restricted, locked out or expired; or when a user, whose account is marked "Smart card required for login", attempts to log in with a password.

Check the user's account settings in Active Directory. (See Check login for more information.)

Log shows "Failed authentication attempt: cannot verify certificate"

You will get a log error message that says, "Failed authentication attempt: cannot verify certificate" when Active Directory is verifying the user's certificate, or when Authentication Services for Smart Cards is verifying the KDC certificate returned by Active Directory. The most likely causes are either that the CA certificate that was used to issue that certificate is not in the NtAuthCertificates container in Active Directory, or Authentication Services for Smart Cards was unable to automatically bootstrap the trusted certificates.

Check the user's account settings in Active Directory. (See Check login for more information.)

See also the Bootstrapping trusted certificates section of this guide.

Related Documents