Re: [Fed-Talk] RE: Authentication of OS X using CAC cards against Active Directory
Re: [Fed-Talk] RE: Authentication of OS X using CAC cards against Active Directory
- Subject: Re: [Fed-Talk] RE: Authentication of OS X using CAC cards against Active Directory
- From: Paul Nelson <email@hidden>
- Date: Thu, 29 Jun 2006 13:08:42 -0500
- Thread-topic: [Fed-Talk] RE: Authentication of OS X using CAC cards against Active Directory
Thanks Neal, and sorry this is so long...
Thursby is working with both Apple and the Army to get Macs officially
accepted on the same level as Windows systems. Of course the solution will
work for all of the DoD in general. Testing is occurring at several Army
locations at this time, including NETCOM.
We will be posting a public beta by Monday. Currently our home page,
www.thursby.com, only shows DAVE and ADmitMac. When the beta is posted, the
home page will be updated to show the CAC version.
Army and DoD Macintosh lovers should take heart because the pieces required
to make the Mac a first class citizen on military and government networks
are starting to fall into place quickly.
I'm just putting another BETA build of our stuff together. Here is a
preview:
1) The stuff is called "ADmitMac for CAC".
2) Passwords will never be required.
3) We now implement full Kerberos PKINIT during login, so you can use your
CAC to log into Active Directory, with real network login where the Active
Directory domain actually authenticates you.
4) We implement five policy settings:
a) you can deny the Administrator the right to unlock a user's screen
b) you can prevent local user accounts from logging into the console
c) you can prevent domain users without a CAC from logging into the
console
d) you can prevent domain users from logging in without a network
connection - and you can, of course, log in without a network connection
using mobile accounts
e) You can set the level of user certificate verification required. A
user's certificate is verified if no domain controller is available to do
this. Certificates MUST always be signed by trusted certs and MUST no be
expired at the current time regardless of this policy.
ADmitMac already supports the highest level of LanMan security.
Probably the coolest part of all this is that when you install ADmitMac for
CAC, it does all the setup automatically - there is NO editing of files by
hand. Default settings are chosen to allow you to log in with the CAC right
away. A command line tool is provided to view and change settings.
Second coolest is the screen locking - when you pull your CAC, the screen
locks. Put it back and enter your PIN to unlock. You won't be able to
unlock the screen without the CAC and PIN, period (only the PIN is checked,
and you can unlock with an expired card). Sleep and wakeup locking and
unlocking are enforced. The user can't turn the screen locking off.
Third (and only cool to geeks like me) is the logging. We log everything
about the login so you can determine what is happening at any time. We are
using Apple's asl logging so you can enter commands like:
syslog -k Sender AM-PKINIT
to view all our log messages. You can also look for failures:
syslog -k Sender AM-PKINIT -k Status failure
All log messages are tagged with a rich set of info including:
the login user's distinguished name for locating them in AD
the user's real name (like Paul W. Nelson)
the user principal name (used for Kerberos credentials)
the user ID number
This makes reading logs very powerful. You can do stuff like
syslog -k userPrincipalName email@hidden
syslog -k cn "Paul W. Nelson"
syslog -k UniqueID 1105
Or check for policy info:
syslog -k Message Zeq policy
Fourth, we are currently testing with the new CAC used for administration,
and should be able to support these types of cards.
Paul Nelson
CTO
Thursby Software Systems, Inc.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden