Enterprise editions of Client Automation support two-way authentication using smart cards. SSL must be enabled for smart card authentication.
As part of the smart card login process, the user must select a certificate that matches a trusted certificate in the Core Server truststore. The process of validating this certificate against the user in the directory consists of the following checks:
The domain name (subjectdn) value of the certificate is obtained. A check is performed to determine if the subjectdn matches the equivalent userdn in one of the mounted directories where authentication is enabled. If so, the user is eligible to login. If not, the altsubjectname check is performed.
The alternate subject name (altsubjectname) value of the certificate is obtained. A check is performed to determine if the altsubjectname matches the AD userprincipal name in one of the mounted directories where authentication is enabled. If so, the user is eligible to login. If not, the email address check is performed.
It is determined if the certificate has an emailaddress value in the subjectdn. If available, a check is performed to determine if it matches the mail attribute in one of the mounted directories where authentication is enabled. If so, the user is eligible to login. If not, the usercertificate match is performed.
A check is performed to determine if the usercertificate matches the usercertificate attribute in one of the mounted directories where authentication is enabled. If so, the user is eligible to login. If not, login fails.
For additional instructions on SSL, policy, and directory services, see the HP Client Automation Enterprise SSL Implementation Guide.