How the login screen appears for a multi-user card
When a user inserts a multi-user card, the smart card login shows a generic username and password login screen. The user may select one of the accounts provisioned for the card by typing the account name in the Name box. In the Password box, the user must enter the PIN for the card, not the password for the account.
If the user is not enabled for the zone, or is not a valid Active Directory user at all, the smart card login dialog is replaced by the previous login screen, either a list of local users or username and password text entry fields.
The user will be successfully logged in if the following conditions are met:
- The user enters the correct PIN for the smart card.
- The card is trusted by the domain and has not been revoked. The card is checked locally first, online or offline, to ensure that the issuing certificate authority is trusted by the Mac computer via keychain trusts, which are set up when the computer joins the domain, and which are periodically refreshed
Checking is performed by the domain controller when online, and by the keychain service based on cached CRLs when offline. If the user is not connected to the network but has previously logged on — with a smart card or in some other way — Mac OS X gets the name from the log on screen and looks up the user in the cached data.
If login fails, no feedback is provided to the user as to why the login is being denied — as is the case when logging in with a password. Information is logged into system log files that can help determine the reason for a denied login, including
/var/log/secure.log, and the Centrify log file (
/var/log/centrifydc.log) if logging is enabled.
Screen saver shows password not PIN prompt
Most smart card users are allowed to log on with a smart card and PIN only — they cannot authenticate with a user name and password. However, it is possible to configure users for both smart card/PIN and user name/password authentication. Generally, this set up works seamlessly: the user either enters a user name and password at the log on prompt, or inserts a smart card and enters a PIN at the prompt.
However, for multi-user cards, it can be problematic when the screen locks and the card is in the reader. When a user attempts to unlock the screen, the system prompts for a password, not for a PIN, although the PIN is required because the card is in the reader. If the user is not aware that the card is still in the reader and enters his password multiple times, the card will lock once the limit for incorrect entries is reached.