Cryptographic tokens - Kerberos

With cryptographic tokens, the user is authenticated at the SafeGuard POA by the certificate stored on the token. To log on to the system, users only have to enter the token PIN.
Note: Cryptographic tokens cannot be used for unmanaged endpoints.

You have to provide users with fully issued tokens. For further information, see Configure token use.

Basic certificate requirements:

Note: In case of logon problems with a Kerberos token, neither Challenge/Response nor Local Self Help is available for logon recovery. Only the Challenge/Response procedure using Virtual Clients is supported. It enables users to regain access to encrypted volumes on their endpoints.