For using the Smartcard login method, some additional configuration is necessary:

  1. Under Security > Logon > Active Directory/Kerberos, activate Smartcard.
  2. Under Smartcard removal action, define what should happen when the smartcard is removed:
    • Log out: Performs a disconnect or log out of running sessions, removes all user related data from the device and prepares the device for the next user login.
    • Lock device: Locks the screen during sessions. Only the user who is already logged in can unlock the device with his smartcard and PIN. Additionally, select User password under User Interface > Screenlock / Screensaver > Options, to make the setting effective.
  3. Choose an appropriate PKCS#11 module under Security > Smartcard > Middleware.

    The smartcards for this login must be supported by a PKCS#11 module which can access the certificates on the smartcard.

Kerberos login with a smartcard involves certificates. The root certificate of the certificate used by the key distribution center (domain controller) must therefore be available on the device. Either the root certificate is one of the public trusted certificate authorities or it must be deployed to the device, see Deploying Trusted Root Certificates.

When using Windows 2000 or Windows Server 2003-based domain controllers in combination with smartcard login, the parameter auth.krb5.realms.pkinit.pkinit_win2k has to be activated in the registry. This enables the use of an earlier protocol version of PKINIT preauthentication.