Chat now with support
Chat with Support

Safeguard Authentication Services 4.2 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs Locking the screen saver upon card removal (macOS)
Testing Authentication Services for Smart Cards Troubleshooting

Login fails when the user account is disabled

You encounter a login failure with a message that says, "The authentication server policy does not allow you to log in at this time.", "KRB5KDC_ERR_POLICY"or "KRB5KDC_ERR_CLIENT_REVOKED" when a user's account has been restricted, locked out, or expired. This message is also displayed when a user, whose account is marked "Smart card required for login", attempts to log in with a password.

Check the user's account settings in Active Directory. For more information, see Check login.

Login fails when the user's certificate is not authorized

You encounter a login failure with a message that says, "Your certificate cannot be verified by the authentication server" or "KRB5_KDC_ERROR_CANT_VERIFY_CERTIFICATE" when either Authentication Services for Smart Cards was unable to automatically bootstrap the trusted certificates; or, the CA certificate that was used to issue that certificate is not in NtAuthCertificatescontainer in Active Directory. Generally, this error occurs when Active Directory is verifying the user's certificate, or when Authentication Services for Smart Cards is verifying the KDC certificate returned by Active Directory.

For more information, see Bootstrapping trusted certificates.

Troubleshooting "KDC has no support for padata type" issue

Symptom:

An error displays, similar to the following:

KRB5KDC_ERR_PADATA_TYPE_NOSUPP (-1765328368): KDC has no support for padata type
Diagnosis:

This error occurs if the domain controller does not have a Domain Controller Authentication Certificate.

Solution:
  1. From the Certificates console open the Certificate Request wizard.
  2. Select Domain Controller Authentication.
  3. Click Enroll.

Troubleshooting "Cannot contact any KDC for requested realm" issue

Symptom:

An error displays, similar to the following:

ERROR: VAS_ERR_KRB5: Failed to obtain credentials. Client: vas-user@ALTSUFFIX.VAS,
Service: krbtgt/ALTSUFFIX.VAS@ALTSUFFIX.VAS, Server: (null)
   Caused by:
   KRB5_KDC_UNREACH (-1765328228): Cannot contact any KDC for requested realm
Reason: unable to reach any KDC in realm ALTSUFFIX.VAS
Diagnosis:

You will get an error message that says, "Cannot contact any KDC for requested realm" because Authentication Services cannot obtain a Kerberos ticket for the user principal name encoded on the smart card.

This will occur when Authentication Services is unable to communicate with a domain controller. Run the vastool info servers command and try to ping your domain controllers to ensure that your network is properly configured and Authentication Services has found a domain controller to use for communication with Active Directory.

If the problem persists, you may have a problem with your user principal name suffix. This occurs when the suffix of the user principal name on your smart card does not match the name of the Kerberos realm for your Active Directory domain. In other words, your Active Directory domain is COMPANY.COM, but the user principal on your smart card is vas-user@ALTSUFFIX.VAS. This means you are using an alternative user principal name suffix.

Solution:

Configure vas.conf to use user principal name as the logon attribute. This can be done by any of the following methods:

  1. Authentication Services Configuration Group Policy Setting:
    1. Open QAS Configuration in the Group Policy editor.
    2. Type username-attr-name in the search field and click the Search button.
    3. Set the value to userPrincipalName.
    4. Click OK to close the dialog.
    5. Apply Group Policy on the Authentication Services client by running the vgptool apply command.
  2. Manually edit the vas.conf.
    1. Open the vas.conf file on the Authentication Services client.
    2. In the [vasd] section, set "username-attr-name = userPrincipalName".
    3. Save the vas.conf file.
    4. Run the vastool flush command to repopulate user information.
  3. Edit the vas.conf with vastool.
    1. Run the following command:

      vastool configure vas vasd username-attr-name userPrincipalName

    2. Run the vastool flush command to repopulate user information.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating