红帽全球峰会第 9 章 Authenticating as an Active Directory user using PKINIT with a smart card
Active Directory (AD) users can use a smart card to authenticate to a desktop client system joined to IdM and obtain a Kerberos ticket-granting ticket (TGT) for single sign-on (SSO) authentication from the client. This process is intended for AD user accounts that require smart card authentication, which prevents them from using password-based logins.
You cannot use these instructions to access IdM resources for which their Kerberos service has pkinit authentication indicator requirement. This is because the process obtains a TGT from the Active Directory Kerberos Distribution Center (AD KDC), not the IdM KDC. As a result, the TGT does not contain the necessary authentication indicator, and the IdM service will deny your access.
To enable PKINIT authentication for IdM users to access IdM services see Managing Kerberos ticket policies.
Prerequisites
- The IdM server is configured for smart card authentication. For more information, see Configuring the IdM server for smart card authentication or Using Ansible to configure the IdM server for smart card authentication.
- The client is configured for smart card authentication. For more information, see Configuring the IdM client for smart card authentication or Using Ansible to configure IdM clients for smart card authentication.
-
The
krb5-pkinitpackage is installed. - The AD server is configured to trust the certificate authority (CA) that issued the smart card certificate. Import the CA certificates into the NTAuth store (see Microsoft support) and add the CA as a trusted CA. See Active Directory documentation for details.
Procedure
Configure the Kerberos client to trust the CA that issued the smart card certificate:
-
On the IdM client, open the
/etc/krb5.conffile. Add the following lines to the file:
[realms] AD.DOMAIN.COM = { pkinit_eku_checking = kpServerAuth pkinit_kdc_hostname = adserver.ad.domain.com }
-
On the IdM client, open the
If the user certificates do not contain a certificate revocation list (CRL) distribution point extension, configure AD to ignore revocation errors:
Save the following REG-formatted content in a plain text file and import it to the Windows registry:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Kerberos\Parameters] "UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001Alternatively, you can set the values manually by using the
regedit.exeapplication.- Reboot the Windows system to apply the changes.
Authenticate by using the
kinitutility on an Identity Management client. Specify the Active Directory user with the user name and domain name:$ kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' ad_user@AD.DOMAIN.COMThe
-Xoption specifies theopensc-pkcs11.so moduleas the pre-authentication attribute.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}