Enabling support for multi-user PIV and multi-user smart cards
- If you plan to use multi-user PIV cards or multi-user smart cards with a Mac computer in your domain, you must make the following changes in your environment.
- Configure Active Directory to support multi-user PIV cards and multi-user smart cards
- Configure Centrify to support multi-user PIV cards and multi-user smart cards
Note: Making the following changes results in an environment that supports multi-user PIV card login, which means users always need to provide a unixname or UPN. Single-user PIV cards will continue to work; however, those users will be required to provide a username. Military CACNG cards will no longer work if you change your environment to support multi-user PIV cards.
The following steps are necessary to support multi-user PIV cards and multi-user smart cards in Active Directory.
- On the computer acting as the Key Distribution Center (KDC), set the following registry key to 0 to disable UPN mapping:
Export the user smart card certificate and enable name mapping to the users associated with the card. Refer to the following Microsoft Technet Blog post: "Mapping One Smart Card to Multiple Accounts" for more information.
- From the Group Policy Management Editor, enable the Disable smart card UPN mapping policy to prevent the login UI from greeting the UPN user identified on the PIV card. This policy is found at Computer Configuration > Policies > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy. Refer to Security & Privacy for additional information.
Tip: Alternatively, you can use the
sctoolcommand-line tool to disable smart card UPN mapping on an individual Mac for testing or evaluation purposes.
To disable smart card UPN mapping with
sctool -u '###'
To enable smart card UPN mapping with
sctool -u 'NT Principal Name'
On the Mac computer where you want to enable support for multi-user PIV cards, set the
smartcard.name.mappingparameter in the