• Issues while authentication via Smart card using .cer certificate

    From Ken Hornstein@21:1/5 to Nishant Shrivastava on Wed Apr 21 17:04:59 2021
    Copy: kerberos@mit.edu (kerberos@mit.edu)

    I have been trying to login to my Ubuntu (v 20.04) machine which is
    joined to AD server (Windows Server 2k16). And for log-in to the user
    account I am having a .CER certificate (certificate without private
    key) via Smartcard attached to the Ubuntu Machine. When I try this, it >prompts for PIN but fails even when the correct PIN is provided.

    I wanted to ask, if the process how I am implementing is recommended. Or
    if I am missing out something for the process mentioned above.

    I'm not sure why _I_ was directly emailed, but, fine ...

    I am assuming you are attempting PKINIT, because that's the only way you'd
    be able to use a smartcard with Active Directory. If you are getting a PIN prompt, then probably the hard part is working (communication with the smartcard via a PKCS#11 module) and you're getting relatively far in
    the process, which is good.

    There are a number of places where PKINIT could fail, and unfortunately
    the actual error message gets hidden internally in the library. If your version of Kerberos is new enough, try turning on debug tracing by
    setting the KRB5_TRACE environment variable. E.g.:

    env KRB5_TRACE=/dev/stdout kinit [... kinit options ...]

    I have a feeling you're going to need to set a few variables in your
    krb5.conf to authorize your specific KDC certificates. That's assuming the rest of your PKI is working on your client, which is never a sure thing.

    --Ken

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)