The login method consists of two components: the server module and the client module. The appropriate modules are loaded during the authentication process by the NMAS server and client components.
During authentication, the client module enumerates the certificates available on the attached smart card and sends them to the server module. The server module chooses a certificate to use for authentication, based on the configuration and validation checks.
After selecting the login certificate, the server module generates a random challenge and sends it to the client module to confirm that the user possesses the private key associated with the certificate. The client module uses the smart card to sign the challenge and encrypt the result by using the RSA public/private key encryption. On receiving the result, the server decrypts the data by using the public key of the certificate and validates the challenge. If a valid certificate is not found or the challenge is not validated, the login attempt fails. For more information about how the method works, see Section C.0, How Authentication Works.