To fully support smart card login, you can do either one of the following.
- Configure a computer to require smart card login by enabling the Require smart card login group policy (Computer Configuration > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Require smart card login.) When you enable this policy, no one can log into a computer for which this policy applies with a user name and password but must insert a smart card, unless you create an exception group. An exception group is simply an Active Directory group that you create and add to this group policy to allow group members to log in, if necessary, with a user name and password. The purpose of creating an exception group is to allow users to temporarily log in if they do not have their smart card in hand.
Note: If you use set this policy, be certain that all users have their passwords set to never expire. Otherwise, if a password expires, a user may be unable to log in with a smart card and see a potentially confusing error message about changing their password. If you use the option to require smart card login for specific users, as explained in the next bullet, you can ignore password expiration.
Set an individual user’s account options to require login with a smart card, as shown in the following procedure. When you set this option, the user cannot interactively log in to a computer with a user name and password but must insert a smart card. Do not use this option if you want to allow specific users to log in temporarily with a user name and password in case they do not have their smart card with them. In this case, use the Require smart card login group policy and create and add an exception group.
To require smart-card login for a specific user:
- Open the Access Manager console or Active Directory Users and Computers.
- Select the user. For example, in the Access Manager console, open domainName > Zones > zoneName > Users > userName.
- Right-click the userName and select Properties.
- Select the Account tab.
- In Account options, scroll until Smart card is required for interactive logon is visible, then select it.
- Click OK.