Chapter 9. Authenticating as an Active Directory user using PKINIT with a smart card

Procedure

1. Configure the Kerberos client to trust the CA that issued the smart card certificate:

   1. On the IdM client, open the /etc/krb5.conf file.

   2. Add the following lines to the file:

      [realms]
        AD.DOMAIN.COM = {
          pkinit_eku_checking = kpServerAuth
          pkinit_kdc_hostname = adserver.ad.domain.com
        }

2. If the user certificates do not contain a certificate revocation list (CRL) distribution point extension, configure AD to ignore revocation errors:

   1. Save the following REG-formatted content in a plain text file and import it to the Windows registry:

      Windows Registry Editor Version 5.00
      
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc]
      "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
      
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Kerberos\Parameters]
      "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001

      Alternatively, you can set the values manually by using the regedit.exe application.

   2. Reboot the Windows system to apply the changes.

3. Authenticate by using the kinit utility on an Identity Management client. Specify the Active Directory user with the user name and domain name:

   $ kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' ad_user@AD.DOMAIN.COM

   The -X option specifies the opensc-pkcs11.so module as the pre-authentication attribute.