Re: More CAC issues [was- [Fed-Talk] PKINIT and Kerberos
Re: More CAC issues [was- [Fed-Talk] PKINIT and Kerberos
- Subject: Re: More CAC issues [was- [Fed-Talk] PKINIT and Kerberos
- From: Dalton Hamilton <email@hidden>
- Date: Wed, 16 Nov 2005 08:00:57 +0100
I work at LRMC and they are part of the AD cloud; however, our Apple
users don't join the AD domain because we've never wanted to.
For mail, I first started using Entourage to our Exchange 2000 server
but then they blocked port 80. I then configured Entourage to
connect to the http: web address of our Exchange 2000 server.
However, Entourage gave me problems in a few areas, was extremely
slow, and not to mention no spotlight support to search through my
thousands of emails. So, I decided to use Apple Mail.
I've always liked Apple Mail better, it is faster, implements
threads, and more reliable. It also connects fine to Exchange
servers; however, our Exchange server did not have IMAP enabled. I
then moved my email account to AKO and all worked great. I can now
use Apple Mail to send and receive signed and encrypted email and it
is wonderful to be able to use spotlight to find historical emails
that I need. When I first switched to AKO, I too received an
electronic warning that I was using too much disk space and got
warnings that I was over my space limit. A quick change to Mail
preferences to not store sent and deleted emails on the server fixed
that.
As for printing, as mentioned earlier by someone else, I print
directly to the printer -- be it HP LaserJet, HP MultiFunction, and
IP directly to our plotter. Why go through a windows (or any AD
resource) print queue to print -- doesn't make sense to me.
As for shares, this also works for us. Though our systems don't join
the AD domain, we, as users, still have AD accounts and are able to
use those accounts to connect to windows shares. Of course our Linux
and OSX Server shares are not part of the AD either.
We have no plans to join the AD domain.
I guess there must be a reason why you join. Today, I'm happy to not
be required to join. Windows users are always complaining about the
AD problems.
-----------------------------------------------------------------
Dalton Hamilton
if(1)
OSX
On Nov 15, 2005, at 11:17 PM, Timothy J. Miller wrote:
Monahan, Jim (Contractor) wrote:
Prior to moving to AD, we used v2 of the activecard client, which
provided the ability to program the users ID, password, and domain
on the card. We did so; when they inserted the card at the login
screen, windows asked for the pin, then read the UID/pw/domain
from the cac card.
Oh dear lord, that old hack?
That wasn't PKI-enabled logon. The AF *very* briefly did the same,
and rescinded it because, frankly, there's no security benefit.
When we converted to AD, we removed v2 and installed v3 of the
activecard software.
Activecard 3 does not have the option to configure uid/pw/domain.
or as you stated, that function may have been disabled or removed
by 'others'
Lacking that configuration option, I made the logical leap that in
order to be able to login via CAC, another version of activecard
will be needed, and that we will have to touch every machine to
configure the users cards, etc
Enabling smartcard logon (which uses the PKINIT draft extension to
Kerberos) takes place on the domain. So long as users have CACs,
PINs, some version of middleware, and readers, they shouldn't have
to do anything once it's been done in the domain.
-- Tim
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40mac.com
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden