We recommend configuring your Active Directory domain and forest to use AES-128 or AES-256 encryption for Kerberos in order to ensure you can configure smart card login. DES and RC4 encryption are no longer supported. Other prerequisites for enabling smart card support differ depending on whether you have configured a single-user or multi-user smart card.
For a single-user card, before enabling smart card support, make sure you do the following:
- Provision a smart card with an NT principal name and PIN.
Refer to Supported smart card profiles to verify that the profiel on your smart card is supported by Centrify.
- Verify that the Active Directory Zone user’s UPN matches the UPN on the smart card.
For a multi-user card, before enabling smart card support, make sure you have the following in place:
- A Windows Server 2008 or above domain controller for authentication.
- The card is not configured with a UPN. If a card with a UPN is inserted, the Mac prompts for a PIN rather than prompting for a username and password.
- An administrator has added the certificate on the card to the name mapping for the users the card is associated to. See the following Microsoft Technet Blog post: "Mapping One Smart Card to Multiple Accounts" for more information on how to do this.
For either type of card, verify that the public key infrastructure to support smart card login is operational on the Windows computer running Active Directory and Access Manager. If the user is able to log in to a Windows computer with a smart card, and you have a card reader and a fully-provisioned card for the Mac computer, the user should be able to log in to the Mac computer once you configure it for smart card support.