Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-10294: Cannot unlock screen with Smart Card after successful login on RHEL 7.4 and higher

Authentication Service ,  

8 May,18 at 09:13 PM


After a successful login with smart card on RHEL 7, the smart card pin will no longer work after the screen is locked until the "Log in as another User" button is selected. The "Log in as another User" button has to be selected in order for the smart card pin authentication to work again. The problem persists even after upgrading to RHEL 7.4 or higher per KB-7415.


After the release of RHEL 7.4, an issue was identified where when a screen unlock is done, the username is set in the PAM context by GNOME and will trigger the pam_pkcs11 mapper to verify the certificate alt UPN name matches the username set in the PAM context.  The pkcs11 mapper tries to directly compare the alt UPN to the user on the card, which does not match. Therefore, the screen is unable to be unlocked via the smart card pin after it has been locked.

When "Log in as another user" is selected, GNOME will clear up the PAM context user name and do a plain user search as if the user were logging in for the first time at the Console.   As long as there is a certificate with a valid UPN, it will get passed to pkinit to derive the user.  If the pkinit is successful, it will know which unix user the card belongs to and will set the unix username back in the PAM context.


This issue is fixed in the Centrify Suite 2018 (5.5.0) release.