Fails to log in to IdM WebUI with certificate/smartcard: 401 Unauthorized: Insufficient access

Solution Verified - Updated -

Issue

Fails to log in to IdM WebUI with certificate/smartcard

  • Certificate has been added to an user1
  • Attempting to login to WebUI using smart card2. After clicking Log In Using Certificate, Authentication with personal certificate failed error message is displayed on browser.

  • Corresponding log message for the HTTP request is found in /var/log/httpd/access_log:

    <...> "GET /ipa/session/cookie HTTP/1.1" 200 -
<...> "GET /ipa/session/login_x509?username=&_=1628735862508 HTTP/1.1" 200 20
<...> "POST /ipa/session/json HTTP/1.1" 401 290
<...> "GET /ipa/session/cookie HTTP/1.1" 200 -
<...> "GET /ipa/session/login_kerberos?_=1628735862509 HTTP/1.1" 200 20
<...> "POST /ipa/session/json HTTP/1.1" 401 290

  • Error messages with the same timestamp have also been recorded in /var/log/httpd/error_log

    [wsgi:error] [pid <...>] [remote w.x.y.z:52170] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credential cache is empty)

  1. 51.3. Adding a certificate to a user entry in IdM ↩︎

  2. 51.6. Logging in to IdM with smart cards ↩︎

Environment

  • Red Hat Enterprise Linux 8
  • Red Hat Identity Management (IdM) / FreeIPA
    • ipa-server
    • httpd

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content