Red Hat Summit23.5. PKINIT Smart-card Authentication in Identity Management
Identity Management users can authenticate with a smart card to a desktop client system joined to Identity Management and get a Kerberos ticket-granting ticket (TGT) automatically. The users can use the ticket for further single sign-on (SSO) authentication from the client.
23.5.1. Preparing the Identity Management Client for PKINIT Authentication
Copy linkLink copied to clipboard!
As the Identity Management administrator, perform these steps on the client where you want the users to authenticate:
- On the server, create a shell script to configure the client.
- Use the ipa-advise config-client-for-smart-card-auth command, and save its output to a file:
ipa-advise config-client-for-smart-card-auth > client_smart_card_script.sh
# ipa-advise config-client-for-smart-card-auth > client_smart_card_script.shCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Open the script file, and review its contents.
- Add execute permissions to the file using the
chmodutility:chmod +x client_smart_card_script.sh
# chmod +x client_smart_card_script.shCopy to Clipboard Copied! Toggle word wrap Toggle overflow
- Copy the script to the client, and run it. Add the path to the PEM file with the certificate authority (CA) that signed the smart card certificate:
./client_smart_card_script.sh CA_cert.pem
# ./client_smart_card_script.sh CA_cert.pemCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Make sure the krb5-pkinit package is installed.
Additionally, if an external certificate authority (CA) signed the certificate on the smart card, add the smart card CA as a trusted CA:
- On the Identity Management server, install the CA certificate:
ipa-cacert-manage -n "SmartCard CA" -t CT,C,C install ca.pem ipa-certupdate
# ipa-cacert-manage -n "SmartCard CA" -t CT,C,C install ca.pem # ipa-certupdateCopy to Clipboard Copied! Toggle word wrap Toggle overflow Repeatipa-certupdatealso on all replicas and clients. - Restart the HTTP server:
systemctl restart httpd
# systemctl restart httpdCopy to Clipboard Copied! Toggle word wrap Toggle overflow Repeat systemctl restart httpd also on all replicas.
Note
SSSD enables administrators to tune the certificate verification process with the
certificate_verification parameter, for example if the Online Certificate Status Protocol (OCSP) servers defined in the certificate are not reachable from the client. For more information, see the sssd.conf(5) man page.
23.5.2. As an Identity Management User: Authenticate Using PKINIT on an Identity Management Client
Copy linkLink copied to clipboard!
Authenticate using the
kinit utility on an Identity Management client:
kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user
$ kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user
The
-X option specifies the opensc-pkcs11.so module as the pre-authentication attribute. For details, see the kinit(1) man page.
23.5.3. As an Active Directory User: Authenticate Using PKINIT on an Identity Management Client
Copy linkLink copied to clipboard!
Prerequisites
As the administrator, configure the environment to support PKINIT authentication for Active Directory users:
- Configure the Active Directory server to trust the certificate authority (CA) that issued the smart card certificate. Import the CA in the NTAuth store (see Microsoft support), and add the CA as a trusted CA. See Active Directory documentation for details.
- Configure the Kerberos client to trust the CA that issued the smart card certificate:
- On the Identity Management client, open the
/etc/krb5.conffile. - Add the following lines to the file:
[libdefaults] [... file truncated ...] pkinit_eku_checking = kpServerAuth pkinit_kdc_hostname = adserver.ad.domain.com
[libdefaults] [... file truncated ...] pkinit_eku_checking = kpServerAuth pkinit_kdc_hostname = adserver.ad.domain.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow
- If the user certificates do not contain a certificate revocation list (CRL) distribution point extension, configure Active Directory to ignore revocation errors:
- Save the following REG-formatted content in a plain text file, and double-click the file to import it to the Windows Registry:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Alternatively, set the values manually using theregedit.exeapplication. - Reboot the Windows system to apply the changes.
Procedure
Authenticate using the
kinit utility on an Identity Management client. Specify the Active Directory user with the user name and domain name:
kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' ad_user@AD.DOMAIN.COM
$ kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' ad_user@AD.DOMAIN.COM
The
-X option specifies the opensc-pkcs11.so module as the pre-authentication attribute. For details, see the kinit(1) man page.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}