Chat now with support
Chat with Support

Safeguard Authentication Services 4.2 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs Locking the screen saver upon card removal (macOS)
Testing Authentication Services for Smart Cards Troubleshooting

Troubleshooting log errors

The following section describes symptoms and possible causes of log error messages when attempting to log in or perform other Authentication Services for Smart Cards functions.

Related Topics

Log shows "clock skew problems"

Log shows "server policy does not allow them on" or "account is expired"

Log shows "Failed authentication attempt: cannot verify certificate"

Log shows "clock skew problems"

You will get a log error message that says, "clock skew problems" when you encounter a login failure because your system clock was out of sync with Active Directory.

To synchronize your system clock with Active Directory

  1. Run the following command as root: vastool timesync.

Log shows "server policy does not allow them on" or "account is expired"

You will get log error messages that say, "server policy does not allow them on" or "account is expired" when a user's account has been restricted, locked out, or expired; or when a user, whose account is marked Smart card required for login, attempts to log in with a password.

Check the user's account settings in Active Directory. For more information, see Check login.

Log shows "Failed authentication attempt: cannot verify certificate"

You will get a log error message that says, "Failed authentication attempt: cannot verify certificate" when Active Directory is verifying the user's certificate, or when Authentication Services for Smart Cards is verifying the KDC certificate returned by Active Directory. The most likely causes are either that the CA certificate that was used to issue that certificate is not in the NtAuthCertificates container in Active Directory, or Authentication Services for Smart Cards was unable to automatically bootstrap the trusted certificates.

Check the user's account settings in Active Directory. For more information, see Check login.

See also Bootstrapping trusted certificates.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating