For using the Smartcard login method, some additional configuration is necessary:

  1. Under Security > Login > Active Directory/Kerberos, activate Smartcard.
  2. Under Smartcard removal action, define what should happen when the smartcard is removed:
    • Log off: Performs a disconnect or log off of running sessions, removes all user related data from the thin client and prepares the thin client for the next user login.
    • Lock Thin Client: Locks the screen during sessions. Only the user who is already logged in can unlock the thin client with his smartcard and PIN. Additionally, select User password under User Interface > Screenlock / Screensaver > Options, to make the setting effective.
  3. Choose an appropriate PKCS#11 module under Security > Smartcard > Middleware > Custom PKCS#11 module.

    The smartcards for this login must be supported by a PKCS#11 module which can access the certificates on the smartcard.

Kerberos login with a smartcard involves certificates. The root certificate of the certificate used by the key distribution center (domain controller) must therefore be available on the thin client. Either the root certificate is one of the public trusted certificate authorities or it must be deployed to the thin client, see Deploying Trusted Root Certificates.

When using Windows 2000 or Windows Server 2003-based domain controllers in combination with smartcard login, the parameter auth.krb5.realms.pkinit.pkinit_win2k has to be activated in the registry. This enables the use of an earlier protocol version of PKINIT preauthentication.