Home
Products
Red Hat Enterprise Linux
8
Managing smart card authentication
Chapter 9. Authenticating as an Active Directory user using PKINIT with a smart card

Chapter 9. Authenticating as an Active Directory user using PKINIT with a smart card

Active Directory (AD) users can authenticate with a smart card to a desktop client system joined to IdM and get a Kerberos ticket-granting ticket (TGT). These tickets can be used for single sign-on (SSO) authentication from the client.

Prerequisites

The IdM server is configured for smart card authentication. For more information, see Configuring the IdM server for smart card authentication or Using Ansible to configure the IdM server for smart card authentication.
The client is configured for smart card authentication. For more information, see Configuring the IdM client for smart card authentication or Using Ansible to configure IdM clients for smart card authentication.
The krb5-pkinit package is installed.
The AD server is configured to trust the certificate authority (CA) that issued the smart card certificate. Import the CA certificates into the NTAuth store (see Microsoft support) and add the CA as a trusted CA. See Active Directory documentation for details.

Procedure

Configure the Kerberos client to trust the CA that issued the smart card certificate:

On the IdM client, open the /etc/krb5.conf file.

Add the following lines to the file:

Copy to Clipboard Toggle word wrap

[realms]
  AD.DOMAIN.COM = {
    pkinit_eku_checking = kpServerAuth
    pkinit_kdc_hostname = adserver.ad.domain.com
  }

[realms]
  AD.DOMAIN.COM = {
    pkinit_eku_checking = kpServerAuth
    pkinit_kdc_hostname = adserver.ad.domain.com
  }

If the user certificates do not contain a certificate revocation list (CRL) distribution point extension, configure AD to ignore revocation errors:

Save the following REG-formatted content in a plain text file and import it to the Windows registry:

Copy to Clipboard Toggle word wrap

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Kerberos\Parameters]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Kerberos\Parameters]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001

Alternatively, you can set the values manually by using the regedit.exe application.

Reboot the Windows system to apply the changes.

Authenticate by using the kinit utility on an Identity Management client. Specify the Active Directory user with the user name and domain name:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
```
kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' ad_user@AD.DOMAIN.COM
```
```
$ kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' ad_user@AD.DOMAIN.COM
```
The -X option specifies the opensc-pkcs11.so module as the pre-authentication attribute.

Additional resources

kinit(1) man page on your system
See MIT Kerberos Documentation for /etc/krb5.conf settings.

Chapter 9. Authenticating as an Active Directory user using PKINIT with a smart card

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links