Re: [Fed-Talk] Getting FireFox to prompt for which CAC cert to use.
Re: [Fed-Talk] Getting FireFox to prompt for which CAC cert to use.
- Subject: Re: [Fed-Talk] Getting FireFox to prompt for which CAC cert to use.
- From: "Timothy J. Miller" <email@hidden>
- Date: Thu, 11 Jan 2007 10:38:19 -0600
Boyd Fletcher wrote:
Its unfortunate Apple won't fix Safari so that it will prompts for which
certificate to use.
Feel free to submit the bug, but I'll wager Apple will point the finger
at the website because, technically speaking, if SSL client
authentication fails you are *supposed* to return an error code. If DoD
websites were consistently doing this, there wouldn't be a problem.
In my experience, Apple tries to cleave as close to the standard as
possible (frex, Apple Mail is one of the few S/MIME clients that
enforces RFC2822 case sensitivity rules on the left side of the @
delimiter, which can throw off some users who expect differently). This
is generally a good thing, but when violations of the standards become
commonly accepted, it can cause "unexpected" behavior.
We use both OWA and Juniper VPN clients. We can only use
FF with OWA (and its inconsistent at that) and the Juniper VPN client is
hosed since it tries to use Safari. Our windows sysads are using the email
cert not the ID certificate because, according to Microsoft, CAC ID certs do
not have a "subject alternative name" SAN field that contains the user's
"user principle name" UPN that is used with AD.
The requirement for certs to contain the user's UPN for smartcard logon
to work is a *bug*. This is *not* the intelligent way to map certs to
account records. MS did this back in the Win2k days--and I took them to
task for it then as well at the Fed security summit--as a way to lock
customers to the MS CA. Unfortunately we're stuck with it for now.
However, there's another user attribute for cert mapping in AD:
altSecurityIdentities.
http://msdn2.microsoft.com/en-gb/library/ms677943.aspx
When this attribute is populated with the user's ID certificate
information (issuer and subject DN), IIS can map the ID cert to the
user's account. This *should* work with OWA COA2 but I haven't tested
it personally (my AD record has it set but since I'm tenant on a base
with Exchange 5.5, I don't have a CAC-enabled OWA instance to test
against). The LEAP tool will populate this setting.
If it works as advertised (tall order, I know :) then either ID or email
cert could be used for OWA authentication.
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden