Chat now with support
Chat with Support

Safeguard Authentication Services 4.2 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs Locking the screen saver upon card removal (macOS)
Testing Authentication Services for Smart Cards Troubleshooting

Test user login

Note: This command requires that you are joined to a domain.

To test whether it is possible to log in using the inserted card

  1. Run the vastool smartcard test login command.

    For example:

    # vastool smartcard test login
    Testing user user@vas.example
    Testing certificate validity ... ok
    Testing if PIN is required ... ok
    Enter PIN for user@vas.example:
    Performing login to card ... ok
    Creating ID for client with UPN 'user@vas.example' ... ok
    Establish initial credentials using PKCS#11 ... ok

    This command uses the inserted card to perform a log in to Active Directory. It displays a warning if the user is not Unix enabled, and displays an error if the log in fails. This command is useful when troubleshooting Authentication Services for Smart Cards log in problems.

Troubleshooting

To help you troubleshoot your Authentication Services for Smart Cards installation, One Identity recommends the following resolutions to some of the common problems you might encounter.

Steps to diagnose problems

Authentication Services for Smart Cards provides a number of tools and options to diagnose problems.

  1. Check the smart card reader
  2. Check the PKCS#11 library
  3. Check the Card
  4. Check login
  5. Enable debugging for smart card login with PAM
  6. Enable debugging for the Authentication Services daemon
  7. Enable debugging for the PKCS#11 library

Check the smart card reader

To troubleshoot problems with the card reader, first ensure that the reader is connected to the Unix workstation correctly, and that it is detected by the system.

To ensure that the reader is connected correctly

  1. Run the following command:
    /sbin/lsusb

    This displays output showing that the card reader is attached to one of the USB ports. For example:

    Bus 003 Device 001: ID 0000:0000
    Bus 002 Device 002: ID 04e6:511c SCM Microsystems, Inc.
    Bus 002 Device 001: ID 0000:0000
    Bus 001 Device 001: ID 0000:0000

    This shows a Reflex v3 USB reader connected to the workstation.

    Note: Some readers require that you insert a card before the USB driver detects it.

    Consult your vendors troubleshooting guide for more details on determining whether the reader is connected.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating