Before you configure smart card authentication

To use a smart card to log on to a Red Hat Linux, CentOS, Debian, or Ubuntu computer, verify that the computers meet these requirements:

  • Are running one of the following operating systems:

    • Red Hat Linux (32- or 64-bit) version 5.6 or later

    • CentOS version 5.6 or later

    • Ubuntu 18.04.x LTS, 20.04.x LTS and 21.04 (amd64)

    • Debian 9.x and 10.x (amd64)

      Note:   For Debian and Ubuntu systems, be sure to have the opensc-pkcs11, pcscd, and libnss3-tools packages installed.

  • Are running the GNOME desktop. The agent does not support use of a smart card with the KDE desktop.

  • If a system is running RedHat Linux or CentOS 8.0 or later, the system needs Centrify Agent for *NIX version 5.7.0 or later.

  • If a system is running Debian or Ubuntu, the system needs Centrify Agent for *NIX version 5.8.0 or later.

  • Are joined to the Windows domain.

  • Have a supported smart card reader attached.

Other prerequisites for enabling smart card support differ depending on whether you have configured a single-user or multi-user smart card.

For a single-user card, before enabling smart card support, make sure you do the following:

  • Provision a smart card with an NT principal name and PIN. Currently, Access Manager supports Common Access Card (CAC), Personal Identify Verification (PIV), cards with both CAC and PIV profiles (CACNG), and Alternative Logon Token (ALT) smart cards.
  • Verify that the Active Directory Zone user’s UPN matches the UPN on the smart card.

For a multi-user card, before enabling smart card support, make sure you have the following in place:

  • A Windows Server 2008, or later, domain controller for authentication.
  • The card is not configured with a UPN. If a card with a UPN is inserted, the computer prompts for a PIN rather than prompting for a user name and password.
  • An administrator has added the certificate on the card to the name mapping for the users the card is associated to. See the following Microsoft Technet Blog post: “Mapping One Smart Card to Multiple Accounts” for more information on how to do this.

For either type of card, verify that the public key infrastructure to support smart card login is operational on the Windows computer running Active Directory and Access Manager. If the user is able to log in to a Windows computer with a smart card, and you have a card reader and a fully-provisioned card for the Linux computer, the user should be able to log in to the Linux computer once you configure it for smart card support.

Although the Linux computer has its own infrastructure for enabling and managing smart card authentication, the Centrify Agent for *NIX and smart card utility (sctool) enable authentication through Active Directory. After you enable smart card support through the Centrify Agent, the Red Hat smart card configuration options have no effect.