An error displays, similar to the following:
ERROR: could not establish initial credentials ERROR: VAS_ERR_KRB5: at ticket.c:72 in ticket_generate_good_error Failed to obtain credentials. Client: vas-user@SC.VAS, Service: krbtgt/SC.VAS@SC.VAS Caused by: KRB5_KDC_ERR_CLIENT_NOT_TRUSTED (-1765328322): Client not trusted
You will get an error message that says, "Client not trusted" if Active Directory cannot determine the validity of the client certificate supplied by the smart card, or the validity of any certificate that issued the client certificate.
This may occur for a number of reasons:
Active Directory passes the certificate to the CA for verification. If the CA is not running, the certificate cannot be verified and is therefore not trusted.
Typically, the CRL is obtained by means of LDAP calls to an external revocation server, and if this server is unreachable or cannot supply a new CRL, the CA cannot check the revocation status of the certificate and the client is therefore not trusted.
Check the output for the following:
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613) ------------------------------------ Revocation check skipped -- server offline
You may obtain information about the certutil tool at:
Certificate lookups fail.
This failure occurs because the default IPC timeout of 5 seconds is insufficient to handle some referrals.
Set a sufficient value for the vascache-ipc-timeout property in vas.conf, as follows:
[libvas] vascache-ipc-timeout = 10