1.0 Overview

The Novell® Enhanced Smart Card Method (NESCM) is a Novell Modular Authentication Services (NMAS™) method that provides smart‑card-based authentication to eDirectory™. Smart card authentication is a two‑factor authentication technique: something you know (smart card PIN) and something you have (smart card).

The login method consists of two components: the server module and the client module. The appropriate modules are loaded during the authentication process by the NMAS server and client components.

During authentication, the client module enumerates the certificates available on the attached smart card and sends them to the server module. The server module chooses a certificate to use for authentication based on the configuration and validation checks.

After selecting the login certificate, the server module generates a random challenge and sends it to the client module to confirm that the user possesses the private key associated with the certificate. The client module uses the smart card to sign the challenge and encrypt the result using RSA public/private key encryption. Upon receiving the result, the server decrypts the data using the certificate's public key and validates the challenge. If a valid certificate is not found or the challenge is not validated, the login attempt fails.

The method supports disconnected or local Windows* workstation logins. Disconnected support allows the smart card to be used for a local workstation login, when the eDirectory identity store isn't available. This is useful in situations where network connectivity isn't always available, such as for laptop users.

The method can also be configured to monitor the smart card reader device. Upon smart card removal, the method can be configured to lock the workstation, log off the workstation, or take no action.