Using the TokenD library with smartcard prevents multiple users from logging in. When a second user inserts their smartcard, Mac prompts for the first user’s PIN rather than the current user.
In an effort to speed up smartcard authentication, OS X creates a cache in /private/var/db/TokenCache/tokens. However, this cache only creates an entry for one user. When a new user inserts their smartcard, TokenD reads the information directly from that cache and ignores the smartcard information.
This only happens when vas.conf has the following setting:
[pkcs11]
pkcs11-lib = /usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so
Currently that is the only pkcs11 library known to have this issue. The pkcs11 libraries provided by Quest in /opt/quest/lib do not have this issue.
WORKAROUND
1 - Create a text document called clear-cache.sh. Make sure it has the .sh extension and does not put txt after it. Put the following in the file:
#!/bin/sh
rm -rf /private/var/db/TokenCache/tokens/*
2 - In Microsoft Group Policy Manager:
Computer Configuration -> Policies -> Mac OS X Settings -> Workgroup Manager Settings -> Login
Then click on the Scripts tab
Click in the Always radio button
Then check the Log-Out Script: check box
Then click the eclipse button and browse to the file that was created in step 1.
3 – Once VGP updates the computer policy in the next cycle, the logoff script will start clearing out the TokenD cache when users logoff.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center