30 September,16 at 03:30 PM
Applies to: All versions of Centrify DirectControl using smart cards
Question:
AD users are able to authenticate and login with their PIV cards. When the certificate is renewed, the user can no longer login with the PIV card and the login shakes.
How can renewed certificates be re-accepted on the systems?
Answer:
Run the following commands to clear out any cached tokens:
sudo rm -rf /var/db/TokenCache/tokens
sudo mkdir /var/db/TokenCache/tokens
Remove and re-insert the card, the system should re-cache the certificates from the card with the updated information.
See the following KB for other smart card troubleshooting tips:
KB-1617: Troubleshooting smart card issues on Mac systems
[Labs] Using YubiKey (PIV or OATH OTP) to Secure Centrify Identity Service and Privilege Service
KB-3348: How to distinguish between CAC and PIV certificates on CAC-NG cards
KB-2466: No PIN prompt when using Smart Card
[Howto] Set up Centrify Identity Service or Privilege Service for MFA using Smart Card
[Labs] New Series: Strong Authentication using Centrify/MS PKI/OATH for Servers, Apps, SAPM/PSM
KB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0)
[Labs] Using Centrify+AD+YubiKey to secure UNIX/Linux access with Strong Authentication
KB-3242: sctool commands for Centrify smart card support