Understanding what happens after login
A user who is logged in with a smart card has access to the same Mac and Access Manager features and behaviors as a user who is logged in with a username and password. For example, the user’s network home directory is mounted (if so configured), a mobile user is created (if enabled in Group Policy), and so on.
Note: In general the user experience is the same in both connected and disconnected modes, with the exception of single sign-on (SSO). Because Access Manager does not cache the smart card’s PIN, SSO is only available for smart card login while connected to the domain.
Of course, certain behaviors and system responses are specific to smart card login:
- If the user removes the smart card after login, the response of the system depends on whether the group policy Lock smart card screen is enabled in the domain. If it is enabled (and the System Preference to require a password after the screen saver begins is not set), the screen locks. Otherwise, the screen does not lock and the user may continue working.
- If the user inserts a smart card while the screen saver is active, the response depends on whether Lock smart card screen is enabled in the domain. If it is, the screen saver deactivates. If the policy is not enabled, the screen saver continues running until the user moves the mouse or touches a key.
- When the screen saver deactivates, the system response depends on the following:
If Require password to wake this computer from sleep or screen saver (and the local version of this policy, if it is not overridden by group policy) is set, the user is prompted to authenticate when the screen saver is deactivated.
Otherwise, if Lock smart card screen is set, and the screen saver was activated by the user removing the smart card, the user is prompted to authenticate.
If neither of these policies is set, the user is not prompted to authenticate when the screen saver deactivates.
If the user is prompted to authenticate when the screen saver deactivates, the type of prompt depends on whether a smart card is inserted into the reader at that moment, and the type of card. If a single-user smart card is inserted into the reader, the user is prompted for the PIN associated with that card. If a multi-user smart card is inserted into the reader, the user is prompted for a name and password — note, however, that the Password box requires the PIN for the card, not the user account password.
If a card is not inserted in the reader, the user is not prompted for a password. The reason the screen saver was activated (smart card removal or idle time) has no effect on the type of prompt that is issued when the screen saver deactivates.
Do not use local users who conflict with Active Directory users
When you configure a user for a smart card be certain that the Active Directory username does not match that of a local user.
In general, to avoid potential conflicts, Centrify does not recommend creating a local user with the same username as an Active Directory user, although such a configuration does not necessarily cause problems. However, configuring a smart card user with the same name as a local user is inherently unstable and can cause unpredictable results.
For a standard login, a local user is always logged in instead of an Active Directory user of the same name because the local account database is checked for authentication before Active Directory. However, the authentication mechanism is different for smart card login, so the Active Directory user on the card will be authenticated instead of the local user, unless the local user has been configured explicitly for the smart card.
Although the Active Directory user is logged in, some commands and applications will look up and apply information for the local user because the Mac directory database is consulted before Active Directory. This means that some of the group policy settings for smart card will not be applied to the Active Directory user and the smart card will not operate properly.