You will get a log error message that says, "Failed authentication attempt: cannot verify certificate" when Active Directory is verifying the user's certificate, or when Safeguard Authentication Services for Smart Cards is verifying the KDC certificate returned by Active Directory. The most likely causes are either that the CA certificate that was used to issue that certificate is not in the NtAuthCertificates container in Active Directory, or Safeguard Authentication Services for Smart Cards was unable to automatically bootstrap the trusted certificates.
Check the user's account settings in Active Directory. For more information, see Check login.
See also Bootstrapping trusted certificates.
An error displays, similar to the following:
ERROR: could not establish initial credentials ERROR: VAS_ERR_KRB5: at ticket.c:72 in ticket_generate_good_error Failed to obtain credentials. Client: vas-user@SC.VAS, Service: krbtgt/SC.VAS@SC.VAS Caused by: KRB5_KDC_ERR_CLIENT_NOT_TRUSTED (-1765328322): Client not trusted
You will get an error message that says, "Client not trusted" if Active Directory cannot determine the validity of the client certificate supplied by the smart card, or the validity of any certificate that issued the client certificate.
This may occur for a number of reasons:
Active Directory passes the certificate to the CA for verification. If the CA is not running, the certificate cannot be verified and is therefore not trusted.
Typically, the CRL is obtained by means of LDAP calls to an external revocation server, and if this server is unreachable or cannot supply a new CRL, the CA cannot check the revocation status of the certificate and the client is therefore not trusted.
Check the output for the following:
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613) ------------------------------------ Revocation check skipped -- server offline
Certificate lookups fail.
This failure occurs because the default IPC timeout of 5 seconds is insufficient to handle some referrals.
Set a sufficient value for the vascache-ipc-timeout property in vas.conf, as follows:
[libvas] vascache-ipc-timeout = 10
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center