Enforcing smart card authentication

By default, enabling smart card support does not force all users to log on using a smart card. If you want to require all Active Directory users to authenticate by using a smart card, you have the option to configure a computer group policy. If you want to require only specific Active Directory users to authenticate by using a smart card, you can configure their user account properties to require a smart card for authentication.

You can enable the “Require smart card login” group policy to ensure that all Active Directory users logging on to a computer must insert a smart card for authentication. If you enable this policy, Active Directory users who forget their smart card will be unable to log on to their computers. However, you add exceptions to this group policy to allow users who forget their smart card to log on using their user name and password on the computers where the policy with exceptions is applied.

Note:   If you use this approach to enforce smart card login for all users, be certain that all users have their accounts set with the “Password never expires” option. If a user attempts to log on with a smart card but the password for the account has expired, the smart card login fails with an error message about changing the password. If you use the account option to require smart card for specific users, you can ignore password expiration.

Enforcing smart card authentication applies to all forms of log on, including GUI login, SSH, telnet, and so on. However, it is enforced for Active Directory users only. If a computer is configured with one or more local accounts, those accounts are still able to log on even if you set the group policy to require smart card authentication.

Steps

To require smart card login, complete one of these procedures:

To require smart card login for all users on a computer

  1. On a Windows computer, open Group Policy Management and select the Group Policy object where you enabled smart card support for Red Hat Linux computers; right-click the Group Policy object, then click Edit.
  2. In the Group Policy Management Editor, expand Computer Configuration > Policies > Centrify Settings > Linux Settings, click Security, then double-click Require smart card login.
  3. Select Enabled.

    Click Add if you want to add exceptions to this group policy now, then click Browse to search for and select the Active Directory group allowed to log on using a user name and password if they forget their smart card. If you only want to configure exceptions when they are needed, click OK to enable the group policy without exceptions.

  4. To apply the group policy immediately to any computer, you must restart the computer or run the adgpupdate command on it.

    Otherwise, all affected computers will be updated automatically at the next group policy update interval.

To require smart card login for a specific user

  1. On a Windows computer, open the Access Manager console or Active Directory Users and Computers.
  2. Select the user.

    For example, in the Administrator’s Console, open domainName > Zones > zoneName > UNIX Data > Users.

  3. Right-click the user’s name and select AD Properties.
  4. In the User Properties window for the user, click the Account tab.
  5. In “Account options”, scroll until Smart card is required for interactive logon is visible, then select it.

  6. Click OK.