Enabling support for multi-user PIV and multi-user smart cards

Note:   Making the following changes results in an environment that supports multi-user PIV card login, which means users always need to provide a unixname or UPN. Single-user PIV cards will continue to work; however, those users will be required to provide a username. Military CACNG cards will no longer work if you change your environment to support multi-user PIV cards.

Configure Active Directory to support multi-user PIV cards and multi-user smart cards

The following steps are necessary to support multi-user PIV cards and multi-user smart cards in Active Directory.

  • On the computer acting as the Key Distribution Center (KDC), set the following registry key to 0 to disable UPN mapping:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc\useSubjectAltName
  • Export the user smart card certificate and enable name mapping to the users associated with the card. Refer to the following Microsoft Technet Blog post: "Mapping One Smart Card to Multiple Accounts" for more information.

Configure Centrify to support multi-user PIV cards and multi-user smart cards

  • From the Group Policy Management Editor, enable the Disable smart card UPN mapping policy to prevent the login UI from greeting the UPN user identified on the PIV card. This policy is found at Computer Configuration > Policies > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy. Refer to Security & Privacy for additional information.

    Tip:     Alternatively, you can use the sctool command-line tool to disable smart card UPN mapping on an individual Mac for testing or evaluation purposes.

    • To disable smart card UPN mapping with sctool: sctool -u '###'

    • To enable smart card UPN mapping with sctool: sctool -u 'NT Principal Name'

  • On the Mac computer where you want to enable support for multi-user PIV cards, set the smartcard.name.mapping parameter in the /etc/centrifydc/centrifydc.conf file to true.