User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy Settings > Keychain Policies
On OS X 10.11, you can create a keychain protected by a smart card token or a password. Once the Enable smart card protected keychain group policy takes effect, the token-protected keychain can only be unlocked with a PIN when the associated smart card is present. This group policy can be configured to allow users who lose or forget their smart card to continue to log in with a password. In this case, a new password-protected keychain is created to ensure users can continue to log in to their account; however, keychain items are not transferred from the token-protected keychain to the password-protected keychain.
This feature is not supported on OS X 10.10 and earlier.