Buscar

Este contenido no está disponible en el idioma seleccionado.

Chapter 9. Authenticating as an Active Directory user using PKINIT with a smart card

download PDF

Active Directory (AD) users can authenticate with a smart card to a desktop client system joined to IdM and get a Kerberos ticket-granting ticket (TGT). These tickets can be used for single sign-on (SSO) authentication from the client.

Prerequisites

  • The client is configured for smart card authentication.
  • The krb5-pkinit package is installed.
  • The AD server is configured to trust the certificate authority (CA) that issued the smart card certificate. Import the CA certificates into the NTAuth store (see Microsoft support) and add the CA as a trusted CA. See Active Directory documentation for details.

Procedure

  1. Configure the Kerberos client to trust the CA that issued the smart card certificate:

    1. On the IdM client, open the /etc/krb5.conf file.
    2. Add the following lines to the file:

      [realms]
        AD.DOMAIN.COM = {
          pkinit_eku_checking = kpServerAuth
          pkinit_kdc_hostname = adserver.ad.domain.com
        }
  2. If the user certificates do not contain a certificate revocation list (CRL) distribution point extension, configure AD to ignore revocation errors:

    1. Save the following REG-formatted content in a plain text file and import it to the Windows registry:

      Windows Registry Editor Version 5.00
      
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc]
      "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
      
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Kerberos\Parameters]
      "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001

      Alternatively, you can set the values manually by using the regedit.exe application.

    2. Reboot the Windows system to apply the changes.
  3. Authenticate by using the kinit utility on an Identity Management client. Specify the Active Directory user with the user name and domain name:

    $ kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' ad_user@AD.DOMAIN.COM

    The -X option specifies the opensc-pkcs11.so module as the pre-authentication attribute.

Additional resources

  • The kinit(1) man page.
Red Hat logoGithubRedditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

© 2024 Red Hat, Inc.