You encounter this error when the card reader is not correctly installed.
You encounter this error when the card reader is not correctly installed.
A warning displays, similar to the following:
WARNING: Smartcard user "vas-user@altsuffix.vas" is not unix enabled. You will not be able to log in with this card using VAS.
You will get a warning message that says, "Smartcard user is not unix enabled." because Safeguard Authentication Services cannot find that user in its cache. Safeguard Authentication Services 4.x is different from previous versions in that it interprets names in user principal name format as the Active Directory Kerberos principal name, which is actually <sAMAccountName>@<KerberosRealm>. If you have configured your smart cards with the user principal name from Active Directory, but the suffix of the user principal name on your smart card does not match the name of the Kerberos realm for your Active Directory domain, then you are using an alternative user principal name suffix. In other words, your Active Directory domain is COMPANY.COM, but the user principal on your smart card is vas-user@ALTSUFFIX.VAS.
Configure vas.conf to use user principal name as the logon attribute. This can be done by any of the following methods:
Run the following command:
vastool configure vas vasd username-attr-name userPrincipalName
The following sections describe symptoms and possible causes that you might encounter when trying to log in with the pam_vas_smartcard module or using the vastool smartcard test login command.
Note: Not all PAM applications display the error messages described in this section. You may need to enable debug, or use vastool smartcard test login to display these messages. For more information, see Enable debugging for smart card login with PAM.
Login fails when the network connectivity is down
Login fails when the system's internal clock is not synchronized
Login fails when the user account is disabled
Login fails when the user's certificate is not authorized
Troubleshooting "KDC has no support for padata type" issue
Troubleshooting "Cannot contact any KDC for requested realm" issue
You encounter a login failure with a "KDC is unreachable" or "KRB5_KDC_UNREACH" error message when the network connectivity between the client and Active Directory is down, or there is a configuration problem.
Enabling debug or using vastool smartcard test login with -d 6 help you determine if this is a connectivity or DNS issue.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center