How the login screen appears for a multi-user card

When a user inserts a card that is provisioned for multiple users, the smart card login provides a Username box that allows the user to enter the name of the account to use.

When the system finds the user account in Active Directory, it prompts the user to enter the PIN for the card.

If the user is not enabled for the zone, or is not a valid Active Directory user at all, the smart card login dialog is replaced by the previous login screen, either a list of local users or username and password text entry fields.

The user will be successfully logged in if the following conditions are met:

  • The user enters the correct PIN for the smart card.
  • The card is trusted by the domain and has not been revoked. The card is checked locally first, online or offline, to ensure that the issuing certificate authority is trusted by the Red Hat Linux computer through the certification authority trust chain, which is set up when the computer joins the domain, and is periodically refreshed.

Checking is performed by the domain controller when the computer is online, and by a local service, based on cached CRLs, when the computer is offline. If the user is not connected to the network but has previously logged on — with a smart card or in some other way — the Centrify agent gets the name from the log on screen and looks up the user in the cached data.

If login fails, no feedback is provided to the user as to why the login is being denied — as is the case when logging in with a password. Information is logged into various system log files that can help determine the reason for a denied login, /var/log/system.log, /var/log/secure.log, and the Centrify log file (/var/log/centrifydc.log) if logging is enabled.

Screen saver shows password not PIN prompt

Most smart card users are allowed to log on with a smart card and PIN only — they cannot authenticate with a user name and password. However, it is possible to configure users for both smart card/PIN and user name/password authentication. Generally, this set up works seamlessly: the user either enters a user name and password at the log on prompt, or inserts a smart card and enters a PIN at the prompt.

However, for multi-user cards, it can be problematic when the screen locks and the card is in the reader. When a user attempts to unlock the screen, the system prompts for a password, not for a PIN, although the PIN is required because the card is in the reader. If the user is not aware that the card is still in the reader and enters his password multiple times, the card will lock once the limit for incorrect entries is reached.