Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8834: altSecurityIdentities attribute is causing smart card login to fail

30 June,17 at 08:05 PM

Applies to:


Centrify Identity Service, Mac edition


Problem:


AD user’s attribute “altSecurityIdentities” is used for a purpose other than smart card authentication.


Cause:


If AD user’s attribute “
altSecurityIdentities” contains the string "Kerberos:" (e.g. Kerberos:user@local), Centrify will use this UPN for authentication instead of the userPrincipalName.

A configuration parameter: krb5.support.alt.identities is available in Centrify to control the authentication method used. When this parameter is true (the default), if Kerberos altSecurityIdentities exist for a user, DirectControl uses it for authentication instead of the Windows name, regardless of which two names were supplied. This works as long as 1) the alternate name is always used or the passwords are synchronized, and 2) the third-party KDC is reachable. If these conditions are not met, you can disable the feature by setting this parameter to false, then only the Windows would be used to authenticate the user and any Kerberos altSecurityIdentities are ignored.

See the below entry for the “krb5.support.alt.identities” configuration parameter in the /etc/centrifydc/centrifydc.conf file used by Centrify for Mac:

 
# By default, if Kerberos altSecurityIdentities exist for a user, we use it
# for authentication instead of the Windows name, regardless as to which of
# the two names was supplied. This works as long as 1) The alternate name
# is always used or the passwords are synchronized and 2) The third-party KDC
# is reachable. If these conditions are not met, and Kerberos
# altSecurityIdentities exist, you can disable this feature, by setting this
# keyword to false. Then only the Windows name can be used to authenticate
# the user, and any Kerberos altSecurityIdentities are ignored.
#
# krb5.support.alt.identities: true


Resolution:


To resolve your issue you will need to un-comment the “#
krb5.support.alt.identities: true” line in the centrifydc.conf file and change the “true” value to “false”. This will configure Centrify for Mac to ignore the ALTSECID value in AD and only use UPN. See below;

 
 
# By default, if Kerberos altSecurityIdentities exist for a user, we use it
# for authentication instead of the Windows name, regardless as to which of
# the two names was supplied. This works as long as 1) The alternate name
# is always used or the passwords are synchronized and 2) The third-party KDC
# is reachable. If these conditions are not met, and Kerberos
# altSecurityIdentities exist, you can disable this feature, by setting this
# keyword to false. Then only the Windows name can be used to authenticate
# the user, and any Kerberos altSecurityIdentities are ignored.
#
krb5.support.alt.identities: false
 


For information on editing the centrifydc.conf file, see the following article:



For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Centrify Customer Portal at support.centrify.com.
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.