How the login screen appears for a single-user card

When a user inserts a single-user card, the smart card login shows the name of the user for whom the card is provisioned, and provides a single text box in which the user can type the PIN associated with the card.

If the user is not enabled for the zone, or is not a valid Active Directory user at all, the smart card login dialog is replaced by the previous login screen, either a list of local users or username and password text entry fields.

The user will be successfully logged in if the following conditions are met:

  • The user enters the correct PIN for the smart card.
  • The card is trusted by the domain and has not been revoked. The card is checked locally first, online or offline, to ensure that the issuing certificate authority is trusted by the Mac computer via keychain trusts, which are set up when the computer joins the domain, and which are periodically refreshed

Checking is performed by the domain controller when online, and by the keychain service based on cached CRLs when offline. If the user is not connected to the network but has previously logged on — with a smart card or in some other way — Mac OS X gets the UPN from the card and looks up the user in the cached data.

If login fails, no feedback is provided to the user as to why the login is being denied — as is the case when logging in with a password. Information is logged into system log files that can help determine the reason for a denied login, including: /var/log/system.log, /var/log/secure.log, and the Centrify log file (/var/log/centrifydc.log) if logging is enabled.