Issues while authentication via Smart card using .cer certificate

Ken Hornstein kenh at cmf.nrl.navy.mil
Wed Apr 21 17:04:59 EDT 2021


>I have been trying to login to my Ubuntu (v 20.04) machine which is
>joined to AD server (Windows Server 2k16). And for log-in to the user
>account I am having a .CER certificate (certificate without private
>key) via Smartcard attached to the Ubuntu Machine. When I try this, it
>prompts for PIN but fails even when the correct PIN is provided.
>
>I wanted to ask, if the process how I am implementing is recommended. Or
>if I am missing out something for the process mentioned above.

I'm not sure why _I_ was directly emailed, but, fine ...

I am assuming you are attempting PKINIT, because that's the only way you'd
be able to use a smartcard with Active Directory.  If you are getting a PIN
prompt, then probably the hard part is working (communication with the
smartcard via a PKCS#11 module) and you're getting relatively far in
the process, which is good.

There are a number of places where PKINIT could fail, and unfortunately
the actual error message gets hidden internally in the library.  If your
version of Kerberos is new enough, try turning on debug tracing by
setting the KRB5_TRACE environment variable.  E.g.:

env KRB5_TRACE=/dev/stdout kinit [... kinit options ...]

I have a feeling you're going to need to set a few variables in your
krb5.conf to authorize your specific KDC certificates.  That's assuming the
rest of your PKI is working on your client, which is never a sure thing.

--Ken



More information about the Kerberos mailing list