Re: More CAC issues [was- [Fed-Talk] PKINIT and Kerberos
Re: More CAC issues [was- [Fed-Talk] PKINIT and Kerberos
- Subject: Re: More CAC issues [was- [Fed-Talk] PKINIT and Kerberos
- From: "Timothy J. Miller" <email@hidden>
- Date: Tue, 15 Nov 2005 16:17:47 -0600
Monahan, Jim (Contractor) wrote:
Prior to moving to AD, we used v2 of the activecard client, which
provided the ability to program the users ID, password, and domain on
the card. We did so; when they inserted the card at the login screen,
windows asked for the pin, then read the UID/pw/domain from the cac card.
Oh dear lord, that old hack?
That wasn't PKI-enabled logon. The AF *very* briefly did the same, and
rescinded it because, frankly, there's no security benefit.
When we converted to AD, we removed v2 and installed v3 of the
activecard software.
Activecard 3 does not have the option to configure uid/pw/domain.
or as you stated, that function may have been disabled or removed by
'others'
Lacking that configuration option, I made the logical leap that in order
to be able to login via CAC, another version of activecard will be
needed, and that we will have to touch every machine to configure the
users cards, etc
Enabling smartcard logon (which uses the PKINIT draft extension to
Kerberos) takes place on the domain. So long as users have CACs, PINs,
some version of middleware, and readers, they shouldn't have to do
anything once it's been done in the domain.
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden