When logging into the TPAM web interface a user is prompted to login with their certificate, even if this is not configured on their user account.
A user does not have a "Certificate Thumbprint" set but still shows certificate / smartcard prompts or popups such as:
Confirm this certificate by clicking OK. If this is not the correct certificate click Cancel"
Microsoft Smart Card Provider
Please Enter your PIN."
At login the browser will prompt a user to select a certificate / enter PIN if both of the conditions are true:
- Client certificate(s) are present on the user’s computer (including on a Smartcard or from other sources such as Entrust)
- The corresponding certificate authority (CA) certificate has been uploaded to TPAM.
This initial prompt only depends on the fact that TPAM’s SSL/webserver configuration accepts client certificates.
It does not matter that the specific user isn’t configured for certificate authentication or that their client certificate isn’t mapped, because TPAM does not know the user at this point.
Following the initial prompt, the user will be presented with the normal login page under ANY of the following conditions.
1. User isn’t configured for certificate auth, or
2. User’s cert isn’t mapped in TPAM, or
3. User cancels certificate selection or PIN prompt