Computer Configuration > Policies > Administrative Templates: Policy Definitions> Windows Components> Smart Card.
The group policy, “Allow certificates with no extended key usage certificate attribute” is defined in a Windows administrative template file (
.adm), not in
centrify_mac_settings.xml, and is in Administrative Templates, not in Mac Settings.
To enable or disable this policy, click Computer Configuration > Policies > Administrative Templates: Policy Definitions > Windows Components > Smart Card.
Enabling this policy setting allows the use of certificates for smart card login that do not have the Extended Key Usage (EKU) attribute set. Normally, certificates that are used for smart card login require this attribute with a smart card logon object identifier.
When you enable this policy, it sets the
smartcard.allow.noeku parameter to true in the Centrify configuration file. Certificates with the following attributes can also be used to log on with a smart card:
- Certificates with no EKU
- Certificates with an All Purpose EKU
- Certificates with a Client Authentication EKU
If you disable or do not configure this policy setting (and do not set the
smartcard.allow.noeku parameter to true in the Centrify configuration file) only certificates that contain the smart card logon object identifier can be used with smart card log in.
After changing the value of this parameter, you must re-enable smart card support by running the following
sctool command as root:
[root]$ sctool -E
Note: You must also specify the -
--pkinit parameter when you run
sctool with the