For using the Smartcard login method, some additional configuration is necessary:

  1. Under Security > Logon > Active Directory/Kerberos, activate Smartcard.
  2. Under Smartcard Removal Action, define what should happen when the smartcard is removed:
  3. Choose an appropriate PKCS#11 module from the list. If you are using IGEL Linux version 5.10 or higher, go to Security > Smartcard > Middleware to select a PKCS#11 module.

    The smartcards for this login must be supported by a PKCS#11 module which can access the certificates on the smartcard.

Kerberos log-in with a smartcard involves certificates. The root certificate of the certificate used by the key distribution center (domain controller) must therefore be available on the thin client. Either the root certificate is one of the public trusted certificate authorities or it must be deployed to the thin client, see the How-To Deploying Trusted Root Certificates.

When using Windows 2000 or Windows Server 2003-based domain controllers in combination with smartcard log-on, the parameter auth.krb5.realms.pkinit.pkinit_win2k has to be activated in the registry. This enables the use of an earlier protocol version of PKINIT preauthentication.