Chat now with support
Chat with Support

Safeguard Authentication Services 5.0.4 - Authentication Services for Smart Cards Administration Guide

Privileged Access Suite for Unix Introducing Safeguard Authentication Services for Smart Cards Installing Safeguard Authentication Services for Smart Cards Configuring Safeguard Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs Locking the screen saver upon card removal (macOS)
Testing Safeguard Authentication Services for Smart Cards Troubleshooting

Login fails when the system's internal clock is not synchronized

You encounter a login failure with a message that says, "Your system's internal clock is not synchronized with your authentication server" or "KRB5KRB_AP_ERR_SKEW" when your system clock needs to be synchronized with Active Directory.

To synchronize your system clock with Active Directory

  1. Run the following command as root: vastool timesync.

Login fails when the user account is disabled

You encounter a login failure with a message that says, "The authentication server policy does not allow you to log in at this time.", "KRB5KDC_ERR_POLICY"or "KRB5KDC_ERR_CLIENT_REVOKED" when a user's account has been restricted, locked out, or expired. This message is also displayed when a user, whose account is marked "Smart card required for login", attempts to log in with a password.

Check the user's account settings in Active Directory. For more information, see Check login..

Login fails when the user's certificate is not authorized

You encounter a login failure with a message that says, "Your certificate cannot be verified by the authentication server" or "KRB5_KDC_ERROR_CANT_VERIFY_CERTIFICATE" when either Safeguard Authentication Services for Smart Cards was unable to automatically bootstrap the trusted certificates; or, the CA certificate that was used to issue that certificate is not in NtAuthCertificatescontainer in Active Directory. Generally, this error occurs when Active Directory is verifying the user's certificate, or when Safeguard Authentication Services for Smart Cards is verifying the KDC certificate returned by Active Directory.

For more information, see Bootstrapping trusted certificates..

Troubleshooting "KDC has no support for padata type" issue

Symptom:

An error displays, similar to the following:

KRB5KDC_ERR_PADATA_TYPE_NOSUPP (-1765328368): KDC has no support for padata type
Diagnosis:

This error occurs if the domain controller does not have a Domain Controller Authentication Certificate.

Solution:
  1. From the Certificates console open the Certificate Request wizard.
  2. Select Domain Controller Authentication.
  3. Click Enroll.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating