Understanding smart card login
Smart cards provide an enhanced level of security authentication for logging into an Active Directory domain. To configure a smart card for use on a Mac computer that is running the DirectControl agent, requires that you have already set up a smart card for use in a Windows domain. You do not need to add any smart card infrastructure to the Mac computer, other than a smart card reader and a provisioned smart card.
In a Windows environment, a smart card may be set up either for a single user account or for multiple user accounts. For example, an individual contributor might have access to a single Active Directory account that he uses for all his work. In this case, the card is set up for a single user and the card is linked directly to a UPN. When a user inserts the card to log on, the smart card system looks for the UPN in Active Directory and prompts for a PIN.
Windows 2008 also provides a name-mapping feature that enables configuring a smart card with multiple user accounts. For example, a user might want to log in with a regular account to check mail or perform routine tasks, but log in with an administrator’s account to perform privileged tasks. To set up a card for multiple users, an administrator maps a certificate to each user account on the card. When a user inserts the card to log on, the smart card system prompts the user to select which account to use, and prompts for the card’s PIN.
If you have set up smart card login for Windows clients in a domain, you can use Access Manager to configure smart card login for Mac clients joined to the same domain. If you have provisioned a smart card for use on a Windows computer — either for a single user or multiple users — once you configure smart card support for a Mac computer, you can use the same smart card to log in to a Mac computer.
Note: Configuring smart card support in Access Manager is nearly the same for a single-user or multi-user card with the exception that for multi-user cards, you must set an extra configuration parameter as explained in Enabling support for multi-user PIV and multi-user smart cards.
Setting up a single user smart card login for Windows requires either:
- Microsoft enterprise root certification authority; see the Microsoft TechNet article: Install an enterprise root certification authority.
- A third party certification authority — see the Microsoft KB article: Guidelines for enabling smart card logon with third-party certification authorities.
Setting up a multi-user smart card login for Windows requires mapping the certificate on the card to the users who the card is associated with. See the following Microsoft Technet Blog post: "Mapping One Smart Card to Multiple Accounts" for more information on how to do this.
For more information about how Access Manager supports smart card log in, see the following video chalk talks:
Smart Card for Mac Part 1: Introduction to Active Directory Integration, which provides a basic introduction to smart card for Access Manager.
Smart Card for Mac Part 2: Architecture & Authentication Flow, which provides technical details about the Access Manager implementation of smart card.