Este contenido no está disponible en el idioma seleccionado.
Chapter 9. Authenticating as an Active Directory user using PKINIT with a smart card
Active Directory (AD) users can authenticate with a smart card to a desktop client system joined to IdM and get a Kerberos ticket-granting ticket (TGT). These tickets can be used for single sign-on (SSO) authentication from the client.
Prerequisites
- The client is configured for smart card authentication.
-
The
krb5-pkinit
package is installed. - The AD server is configured to trust the certificate authority (CA) that issued the smart card certificate. Import the CA certificates into the NTAuth store (see Microsoft support) and add the CA as a trusted CA. See Active Directory documentation for details.
Procedure
Configure the Kerberos client to trust the CA that issued the smart card certificate:
-
On the IdM client, open the
/etc/krb5.conf
file. Add the following lines to the file:
[realms] AD.DOMAIN.COM = { pkinit_eku_checking = kpServerAuth pkinit_kdc_hostname = adserver.ad.domain.com }
-
On the IdM client, open the
If the user certificates do not contain a certificate revocation list (CRL) distribution point extension, configure AD to ignore revocation errors:
Save the following REG-formatted content in a plain text file and import it to the Windows registry:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Kerberos\Parameters] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
Alternatively, you can set the values manually by using the
regedit.exe
application.- Reboot the Windows system to apply the changes.
Authenticate by using the
kinit
utility on an Identity Management client. Specify the Active Directory user with the user name and domain name:$ kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' ad_user@AD.DOMAIN.COM
The
-X
option specifies theopensc-pkcs11.so module
as the pre-authentication attribute.
Additional resources
-
The
kinit(1)
man page.