Troubleshooting Smart Card Login

If you have problems with smart card login, Server Suiteprovides a command-line tool, sctool, that you can run to configure smart card login, as well as to provide diagnostic information. For example, you can run sctool with the following options:

  • sctool --status to show whether smart card support is enabled.

  • sctool --dump to display information about the smart card system setup as well as any smart cards that are attached to the computer.

  • sctool --pkinituserPrincipalName to obtain Kerberos credentials on a single-user smart card for troubleshooting purposes.

    During login with a smart card, the agent calls sctool --pkinit to obtain Kerberos credentials from the smart card currently in the reader. Because this option simulates a good portion of the smart card login process, if you are having trouble logging in you can run sctool --pkinit to obtain useful troubleshooting information. If the command executes successfully, the name of the user will be displayed. If the command fails, you will receive an error message that may help you troubleshoot the issue.

  • sctool --altpkinitunixName to obtain Kerberos credentials on a multi-user smart card for troubleshooting purposes.

    During login with a multi-user smart card, the agent calls sctool --altpkinit to obtain Kerberos credentials from the smart card currently in the reader (because the card is configured for multiple accounts, the user is prompted to provide a username, which the command uses to obtain the Kerberos credentials). Because this option simulates a good portion of the smart card login process, if you are having trouble logging in you can run sctool --altpkinit unixName to obtain useful troubleshooting information. If the command executes successfully, the name of the user will be displayed. If the command fails, you will receive an error message that may help you troubleshoot the issue.

  • sctool --check-kdc-eku to enable checking of the KDC certificate for the Extended Key Usage (EKU) extension "Kerberos Authentication". Do not use this option if you have not updated your KDC to include the required EKU. Enable EKU checking after updating your KDC certificate.

    EKU checking is disabled by default.

    This parameter must be used with the -k (--pkinit) parameter or the -a (--altpkinit) parameter

For more information about using sctool, see the sctool man page.