How the login screen appears for a single-user card

When a user inserts a single-user card, the smart card login shows the name of the user for whom the card is provisioned, and provides a single text box in which the user can type the PIN associated with the card.

If the user is not enabled for the zone, or is not a valid Active Directory user at all, the smart card login screen is replaced by either a list of local users, or user name and password text entry fields.

The user will be successfully logged in if the following conditions are met:

  • The user enters the correct PIN for the smart card.
  • The card is trusted by the domain and has not been revoked. The card is checked locally first, online or offline, to ensure that the issuing certificate authority is trusted by the Red Hat Linux computer through the certification authority trust chain, which is set up when the computer joins the domain, and is periodically refreshed.

Checking is performed by the domain controller when the computer is online, and by a local service, based on cached CRLs, when the computer is offline. If the user is not connected to the network but has previously logged on — with a smart card or in some other way — the Centrify agent gets the UPN from the card and looks up the user in the cached data.

If login fails, no feedback is provided to the user as to why the login is being denied. However, information is logged into various system log files, /var/log/system.log, /var/log/secure.log, and the Centrify log file (/var/log/centrifydc.log) if logging is enabled, that can help determine the reason for a denied login.