RE: [Fed-Talk] Getting FireFox to prompt for which CAC cert to use.
RE: [Fed-Talk] Getting FireFox to prompt for which CAC cert to use.
- Subject: RE: [Fed-Talk] Getting FireFox to prompt for which CAC cert to use.
- From: "Fletcher, Boyd C. GS-13 J9935" <email@hidden>
- Date: Thu, 11 Jan 2007 12:20:25 -0500
- Thread-topic: [Fed-Talk] Getting FireFox to prompt for which CAC cert to use.
I agree MS should be using ID cert. I will try to get my MS AD admins to change my UPN record to use the field you suggested and try that.
BTW, does anyone have verified procedures for getting FF to reliably wokr with and prompt for CACs on MacOS 10.4.8? we have tried on 5 Macs (mix or PPC and Intel) and have only been able to get it to work on two of them.
boyd
-----Original Message-----
From: Timothy J. Miller [mailto:email@hidden]
Sent: Thu 1/11/07 11:38 AM
To: Fletcher, Boyd C. GS-13 J9935
Cc: Bojanower P Chris Civ 75 CS/SCXH; 'email@hidden'
Subject: Re: [Fed-Talk] Getting FireFox to prompt for which CAC cert to use.
Boyd Fletcher wrote:
> Its unfortunate Apple won't fix Safari so that it will prompts for which
> certificate to use.
Feel free to submit the bug, but I'll wager Apple will point the finger
at the website because, technically speaking, if SSL client
authentication fails you are *supposed* to return an error code. If DoD
websites were consistently doing this, there wouldn't be a problem.
In my experience, Apple tries to cleave as close to the standard as
possible (frex, Apple Mail is one of the few S/MIME clients that
enforces RFC2822 case sensitivity rules on the left side of the @
delimiter, which can throw off some users who expect differently). This
is generally a good thing, but when violations of the standards become
commonly accepted, it can cause "unexpected" behavior.
> We use both OWA and Juniper VPN clients. We can only use
> FF with OWA (and its inconsistent at that) and the Juniper VPN client is
> hosed since it tries to use Safari. Our windows sysads are using the email
> cert not the ID certificate because, according to Microsoft, CAC ID certs do
> not have a "subject alternative name" SAN field that contains the user's
> "user principle name" UPN that is used with AD.
The requirement for certs to contain the user's UPN for smartcard logon
to work is a *bug*. This is *not* the intelligent way to map certs to
account records. MS did this back in the Win2k days--and I took them to
task for it then as well at the Fed security summit--as a way to lock
customers to the MS CA. Unfortunately we're stuck with it for now.
However, there's another user attribute for cert mapping in AD:
altSecurityIdentities.
http://msdn2.microsoft.com/en-gb/library/ms677943.aspx
When this attribute is populated with the user's ID certificate
information (issuer and subject DN), IIS can map the ID cert to the
user's account. This *should* work with OWA COA2 but I haven't tested
it personally (my AD record has it set but since I'm tenant on a base
with Exchange 5.5, I don't have a CAC-enabled OWA instance to test
against). The LEAP tool will populate this setting.
If it works as advertised (tall order, I know :) then either ID or email
cert could be used for OWA authentication.
-- Tim
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden