-
AD CS is mandatory for Teleport SmartCard Authentication to Windows Server ? https://goteleport.com/docs/desktop-access/active-directory-manual/ It seem AD CS prerequisite is only for LDAPS and Teleport have already a PKI CA itself for Certificate user generation and smardcard authentication. We have already PKI but not Microsoft AD CS. LDAPS working well on our Domain Controller with certificate generated from our no-Microsoft PKI CA. I run successfully Powershell script for:
Configuration Teleport service done succesfully, the resources were imported sucessfully from discovery AD to Teleport Web Console. Then we have error at connection in Windows logon: EventLog: Security Event: |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 1 reply
-
No, AD CS is not strictly required. This error likely indicates that your KDC certs do not have the appropriate EKU for smart card login. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
I configured the certificate with openssl. LDAPS ok but unable to connect with KDC and smartcard logon. options ssl openss.cnf
|
Beta Was this translation helpful? Give feedback.
This can be pretty tricky to get right. The best and most complete reference I'm aware of is https://awakecoding.com/posts/active-directory-kerberos-kdc-certificate-selection/
A couple highlights to look out for: