Client certificate authentication (SECURE_LOGIN, SECURE_PASSWORD)

These settings are available only when configuring an FTP server.

Use these settings to indicate whether the FTP server requires client authentication.

These settings apply to both TLS and Kerberos, however, only the "Verify client user ID" selection modifies the behavior for Kerberos. Also note the term "certificate" is actually TLS terminology. In Kerberos terminology, the equivalent of a certificate is a ticket which contains credentials.

"Require client certificate authentication"
Check to indicate you want the server to authenticate client certificates.

This selection does not affect Kerberos behavior. Kerberos always processes the client's ticket.

For TLS, client certificate authentication occurs during the SSL handshake. To pass authentication, the Certificate Authority (CA) that signed the client certificate must be considered trusted by the server. This means a certificate for the CA that issued the client certificate is listed as trusted in the server's keyring.
"Verify client user ID"
Check to indicate that in addition to client certificate authentication, the user's ID is further verified.

For TLS: For Kerberos the user ID in the client's ticket is verified to match the login user ID.
"Do not prompt for a password"
Check to indicate the client certificate authentication process is used to eliminate the login password prompt. A client supplies only the login user ID to establish the session.

This setting is applicable only to TLS.

The certificate received from the client must be registered in the security product and must be associated with the login user ID. You can use RACDCERT ADD command to register and associate the certificate.

If either the certificate is not registered or is not associated with the user ID, then the user will be prompted for a password. However, if you checked "Verify client user ID", the login will fail because the user ID could not be verified.