RE: [Fed-Talk] RE: Authentication of OS X using CAC cards against Active Directo ry
RE: [Fed-Talk] RE: Authentication of OS X using CAC cards against Active Directo ry
- Subject: RE: [Fed-Talk] RE: Authentication of OS X using CAC cards against Active Directo ry
- From: "Monahan, Jim CONT ATSC" <email@hidden>
- Date: Thu, 29 Jun 2006 12:25:21 -0400
Title: RE: [Fed-Talk] RE: Authentication of OS X using CAC cards against Active Directo ry
AD inclusion depends on your DOIM. Ours is not allowing Macs to join the AD.
If LSA security is set to level 3 or higher, OS X will not be able to connect to Windows shares without 3rd party software.
(If you use Virtual PC, it *can* login via AD and access shares.)
If LSA is set to high, when attempting to access a network share, you will get an error message similar to:
"The login credentials supplied are incorrect. Make sure your username and domain are correct, then type your password again"
From 2004/2005 messages in this forum:
For those that were following the thread, here's the "official" [published internally] reason why Macs will not be allowed on our local AD network:
Latest Active Directory Compliance Requirements
Abstract: The DOIM has released the latest Active Directory Compliance Requirements.
Please note - no MACs or Linux machines or dual booted systems allowed.
LINUX & MACS: will not migrate, and will only be able to talk while NTLM is low.
(NTLM is an authentication protocol used in various Microsoft network protocol
implementations and supported by the NTLM Security Support Provider
("NTLMSSP"). Originally used for authentication and negotiation of secure DCE/RPC,
NTLM is also used throughout Microsoft's systems as an integrated single sign-on
mechanism.
Currently ATSCNET users are at NTLM level 3 which allows communication with the
MAC clients and Linux. Once we move into the Active directory we will be at Level 5
will doesn't allow communications with Linux or Macs
And
"Dual boot systems will not migrate (to AD)"
======
There is a techcon notice stating Macs are indeed allowed.
Another Army IT document provides instructions detailing step by step configuration for inserting a Mac in the AD.
BUT
The techon I reference also gives local DOIM(s) the ultimate sayso.
If you search the archives here, you'll find the details of the fight I had.
In the meantime, I'll root around and find the dates/document names/sources I know are somewhere on my HD.
Try this:
http://doim.army.mil/Techcon.html
>> On Dec 20, 2005, at 12:04 PM, Ide, Douglas Mr USACFSC wrote:
>>
>> A question: Can someone from Apple tell us exactly what the
>> holdup is in getting official approval for Macs to connect to our AD domains?
>> We've been hearing for quite some time now that it would happen "soon." No
>> one tells us exactly what the hold up is. What's the problem? Why hasn't it
>> happened yet? Is it going to happen within the next month, six months, year?
>> "Soon" no longer really satisifies.
We are being told there is nothing inherently preventing the Mac from connecting to AD - Netcom is OK with it, to the extent they provide documentation for an 'approved baseline system' (including software) for both Windows and Mac platforms.
But Netcom is apparently leaving it up to local DOIMs to determine if they will allow it.
Local DOIMs, in turn, are passing the choice to local commanders.
=====================
Jim Monahan
Network Systems Engineer
RSI, Inc, A CIBER Company
Army Training Support Center
mailto:email@hidden
-----Original Message-----
From: fed-talk-bounces+jim.monahan=email@hidden [mailto:fed-talk-bounces+jim.monahan=email@hidden] On Behalf Of Wade, William J.
Sent: Thursday, June 29, 2006 12:07 PM
To: 'email@hidden'
Cc: Ho, Jim; Cantrell, Brandon M.
Subject: [Fed-Talk] RE: Authentication of OS X using CAC cards against Active Directo ry
Good morning:
I wanted to say thanks to the folks that responded to my questions. We were able to get the CAC card to work on 10.4 yesterday. I really appreciate it.
My next question is regarding Active Directory. I have researched and found the way to join a Mac to the Active Directory domain. I have not found any information that would use the CAC as authentication to the Active Directory domain. The closest that I have found was a white paper written by Mike Bombich. I skimmed through it and did not find any references to Smart Cards. If anyone has any information I would greatly appreciate it. Again, thank you very much for your help.
Bill
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden