Smart Card Authentication and Troubleshooting

Here is what you need to get started:

  • A Linux platform supported by the AD Bridge Enterprise Smart Card service.
  • An Active Directory system configured to manage Smart Card logons.
  • A Smart Card prepared with Active Directory credentials and a personal identification number to log on to the Linux computer.
  • A CCID-compliant Smart Card reader.
  • You must install a CCID-compliant Smart Card reader. The readers are available from a variety of manufacturers. Before you buy a reader, check with the vendor to make sure it works with your Linux platform and your type of Smart Card. Follow the setup instructions from the manufacturer of the Smart Card reader.
  • AD Bridge Enterprise 8.5.3 or later. When you install AD Bridge Enterprise, you must include the smartcard option.

AD Bridge Enterprise 8.5.3 or later. ActiviIdentity's 32-bit driver ActiveClient is no longer installed.

  • Linux computers (64-bit) need a 3rd party Smart Card driver installed. For example, OpenSC provides support for PIV II Smart Cards.

Supported Linux Platforms

The AD Bridge Enterprise Smart Card service supports 64-bit versions of Red Hat Enterprise Linux 6.x or later.

To check the version of your Red Hat computer: cat /etc/redhat-release.

Example output:

[auser@rhel7 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Client release 7.3 (Maipo)

On 64-bit systems, you must install a 3rd party Smart Card driver and Smart Card reader. OpenSC provides opensc-tool and pkcs11-tool and a PCSC daemon.

Install the Smart Card Service

To install AD Bridge Enterprise to support Smart Cards, you must include the smartcard option when you run the installer. If AD Bridge Enterprise is already installed, run the installer again with the smartcard option.

Replace x.x.x.xxxx with the version and build number indicated in the installer file name: ./pbis-enterprise-x.x.x.xxxx.linux.x86_64.rpm.sh -- --smartcard install

Verify Smart Card Settings

If OpenSC is used, it is recommended that the following two commands are used to verify the Smart Card reader is installed correctly and certificates on the Smart Card can be read:

  • opensc-tool: Ensure a Smart Card reader is installed and a token is inserted.
  • pkcs11-tool: Ensure certificates on the Smart Card are readable.

Verify pcsc-lite is Installed

AD Bridge Enterprise depends on the presence of a package, pcsc-lite. To confirm the package is installed, run the following command: rpm -q pcsc-lite.

Example

root@rhel5d lw]# rpm -q pcsc-lite
pcsc-lite-1.3.1-7

When this initial configuration is in place, you are ready to install AD Bridge Enterprise on your Linux computer and add the computer to Active Directory.

For information on installing the AD Bridge Enterprise agent and joining a domain, please see the AD Bridge Enterprise Installation Guide.

Alternate pkcs11 Library Location

Using the config tool's ModuleSearchList option, set the registry with the directory location of the third party pkcs11 library. Lwpkcs11d will reference the registry to determine which library to load. Currently three locations are hardcoded in lwpkcs11 daemon.

/opt/pbis/bin/config --details ModuleSearchList
Name: ModuleSearchList
Description: Determines which pkcs11 module lwpkcs11 daemon uses to access Smart Card functionality.
Type: multistring
Current Values: 
  "/usr/lib/libpkcs11.so"
  "/usr/local/lib/libpkcs11.so"
  "/usr/lib64/opensc-pkcs11.so"
Current Value is determined by local policy.

Troubleshoot

The following section provides information on troubleshooting the card and reader. Verify:

  • Smart Card reader is installed with a Smart Card token
  • PKCS11 library is installed
  • AD Bridge Enterprise was installed with the smartcard option
  • The server is joined to a domain
  • The Smart Card service is configured to use the installed PKCS11 library
  • Smart Card services lwsc and lwpkcs11 are running

Smart Card Diagnostic Tool

A tool is available withAD Bridge that can:

  • verify the Smart Card reader installation
  • read the contents of the Smart Card
  • verify the enrolled Smart Card user certificate Subject Alternate Name (SAN) has the User Principal Name (UPN)

Run the following command to use the tool: /opt/pbis/bin/sc-test.

Install OpenSC

OpenSC provides a PCSC driver and several command line tools like opensc-tool and pkcs11-tool. Restart the server after you install OpensSC: yum install opensc.

Plug in the Smart Card Reader

Run the following command. The Smart Card reader should be listed: lsusb.

Example output:

Bus 002 Device 005: ID 058f:9540 Alcor Micro Corp. AU9540 Smartcard Reader

OpenSC Commands

# opensc-tool --list-readers
# Detected readers (pcsc)
Nr. Card Features Name
0 Yes Alcor Micro AU9540 00 00
# opensc-tool --reader 0 --name -v
Connecting to card in reader Alcor Micro AU9540 00 00...
Using card driver PIV-II for multiple cards.
Card name: PIV-II card

PKCS 11 commands

List the Contents of the Smart Card

pkcs11-tool  --module /usr/lib64/opensc-pkcs11.so  –O

It is preferred that the enrolled certificate is in slot ID 1. If not, reference the enrollment workstation and ensure the enrolled certificate is mapped to PivCert9A. See above.

Other pkcs11-tool Commands

# pkcs11-tool  --module /usr/lib64/opensc-pkcs11.so --list-slots
# pkcs11-tool  --module /usr/lib64/opensc-pkcs11.so  --slot 1 --list-objects
# pkcs11-tool  --module /usr/lib64/opensc-pkcs11.so -l -O --id 4
# pkcs11-tool  --module /usr/lib64/opensc-pkcs11.so  --show-info
# pkcs11-tool  --module /usr/lib64/opensc-pkcs11.so --list-mechanisms

Troubleshoot the Smart Card

  • Ensure the Smart Card services are running:
    lwpkcs11
    lwsc
  • Restart the AD Bridge Enterprise server after installing AD Bridge Enterprise with the --smartcard option.
  • Increase the log level on lsass and identify issues in logs.