Hi folks, I’m trying to make SmartCard authentication works against Windows AD without the need of a middleware. In theory, it should be possible, we only need to configure /etc/cacloginconfig.plist to match the user from the SmartCard. I’ve set this config file really simply: <key>fields</key> <array> <string>NT Principal Name</string> </array> <key>formatString</key> <string>$1</string> <key>dsAttributeString</key> <string>dsAttrTypeNative:userPrincipalName</string> And when I insert the card on the login window, I got the good user. However, and I don’t know why, the authentication isn’t accepted. The PIN field shake just like if my PIN code was wrong (it’s not the case). I’ve setup a TCP wiretap between the client and the Windows Server and when I hit enter, I see a network traffic asking LDAP and MS GC requests (with the good UPN inside). My thought is the requirements to validate authentication aren’t here. But I don’t know the requirements. Does someone know how /etc/cacloginconfig.plist based authentication is supposed to work? What’s are the authentication steps and what should be set on the AD to handle cert based authentication. Best regards, Yoann.