The login method consists of two components: the server module and the client module. The appropriate modules are loaded during the authentication process by the NMAS server and client components.
During authentication, the client module enumerates the certificates available on the attached smart card and sends them to the server module. The server module chooses a certificate to use for authentication, based on the configuration and validation checks.
After selecting the login certificate, the server module generates a random challenge and sends it to the client module to confirm that the user possesses the private key associated with the certificate. The client module uses the smart card to sign the challenge and encrypt the result by using RSA public/private key encryption. Upon receiving the result, the server decrypts the data by using the certificate's public key and validates the challenge. If a valid certificate is not found or the challenge is not validated, the login attempt fails. For more information on how the method works, see Section C.0, How the Authentication Works.