[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] CAC Login and Active Directory

Subject: Re: [Fed-Talk] CAC Login and Active Directory
From: Paul Nelson <email@hidden>
Date: Wed, 26 Jul 2006 09:48:21 -0500
Delivered-to: email@hidden
Delivered-to: email@hidden
Thread-index: AcawwongyC5D5By1Edu2UAAWy4i6sA==
Thread-topic: [Fed-Talk] CAC Login and Active Directory
User-agent: Microsoft-Entourage/11.2.5.060620

The Apple smart card login circumvents Apple's Active Directory plug-in
authentication stuff.  It circumvents the normal ADmitMac plug-in
authentication stuff too.  I believe that it only checks to see if the card
matches an account in a directory service, then allows login.  I don't think
it even validates certificates on the card (revocation lists).

With ADmitMac, we have added an additional plug-in to the login process
where we do the authentication using Kerberos PKINIT.  We also have other
logic to handle cases when the Mac is not connected to a network.

Thursby has been working closely with the Army NETCOM on a thorough set of
requirements for login.  ADmitMac for CAC will meet these requirements when
it is out of BETA, and meets almost all of them in the BETA kit that is
available now.

Paul Nelson
Thursby Software Systems, Inc.

on 7/26/06 8:03 AM, Timothy J. Miller at email@hidden wrote:

> Brochner, Ruben CTR DTIC Z wrote:
>> I would like to enable CAC login for Macintosh with Mac¹s that authenticate
>> using Active Directory.
> 
>> Can this be done WITHOUT the addition of third-party software?
> 
> Not yet.  It remains to be seen if Leopard will add the capability.
> ADmitMac with CAC is the only game in town at the moment.
> 
> Bear in mind that there's a difference between using AD for
> authorization (which is what Shawn's instructions were doing) and using
> AD for authentication (via Kerberos PKINIT, which is what ADmitMac is
> doing).  The former won't get you your Kerberos tickets so you won't be
> able to access AD-controlled resources.
> 
> -- Tim
>  _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list      (email@hidden)
> Help/Unsubscribe/Update your Subscription:
> http://lists.apple.com/mailman/options/fed-talk/email@hidden
> 
> This email sent to email@hidden

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/fed-talk/email@hidden

This email sent to email@hidden

References:
	>Re: [Fed-Talk] CAC Login and Active Directory (From: "Timothy J. Miller" <email@hidden>)

Prev by Date: Re: [Fed-Talk] CAC Login and Active Directory
Next by Date: RE: [Fed-Talk] CAC Login and Active Directory
Previous by thread: Re: [Fed-Talk] CAC Login and Active Directory
Next by thread: RE: [Fed-Talk] CAC Login and Active Directory
Index(es):
- Date
- Thread

Home