Re: [Fed-Talk] Problems with Keychain/AF WebMail/CAC Or the endless trials of getting Macs to work with Smartcards
Re: [Fed-Talk] Problems with Keychain/AF WebMail/CAC Or the endless trials of getting Macs to work with Smartcards
- Subject: Re: [Fed-Talk] Problems with Keychain/AF WebMail/CAC Or the endless trials of getting Macs to work with Smartcards
- From: Boyd Fletcher <email@hidden>
- Date: Thu, 31 May 2007 03:12:21 -0400
- Thread-topic: [Fed-Talk] Problems with Keychain/AF WebMail/CAC Or the endless trials of getting Macs to work with Smartcards
Over last year, I have noticed a disturbing trend on Apple Fed-Talk. The
single biggest issue (by far) that Federal Users have with Apple is the poor
state of CAC/Smartcard support in Apple software and Hardware.
It would be nice if Apple fixed CAC/SmartCard support once and for all.
Though 10.4 was a big improvement over 10.3 it is still well below the level
of Windows or even linux (FC6+).
This includes:
1) Allow the USER not the O/S to decide which certificate should be
presented. I think it evident from this list, Apple's default selection is
rarely correct. We can all argue the merits of apple's implementation and
whether or not DOD servers are configured correctly, but you know what it
doesn't bloody matter. Ultimately what matters is can the user get their job
done with a Mac and the answer in DOD is increasingly NO. Why because Apple
refuses to change their CAC/SC implementation to work like other operating
systems do which is to allow the user to select which cert is the correct
one to use. Automatic selection (if it can't be turned off is almost always
bad for the user) and relying on the proper response from a server (esp if
its a DOD Windows server) is even worse (Windows admins don't care about
linux/mac users as long as it works for Windows and IE). Why can't this be a
setting in Prefs->Users?
- how many folks on this list have either Dave's CAC switch program or
some other hack to get their CAC to work? I do. Everyone I know personally
in DOD has one installed. This should be telling Apple something, humm.....
2) work with Microsoft Entourage (dig sign, encrypted, and https/webdav
access for OWA) and Mozilla FireFox/Thunderbird folks to make sure their
apps fully and transparently support CAC/SC.
- Entourage doesn't work with a CAC enabled OWA site
- FF still crashes frequently on many users computers when trying to
access the CAC/SC
3) users should never have to access the command line to get CAC/SC to work.
period. no exceptions
4) Every single top 7 computer laptop vendor EXCEPT Apple have laptops with
integrated smartcard readers. Why can't apple get with the program? I and
many many others are getting really tired of lugging a SCR-331 around with
them just so they can login to their MBPs.
5) Fix CAC/SC login authentication so its just a matter of clicking a button
in Prefs->Security to enable it. Better yet, allow it to validate the user
and certificate with Active Directory as well.
6) Add full integration with AD for user authentication, authorization, and
file sharing access. We shouldn't to use 3rd party apps
Finally, if Apple wants to be respected in DOD as a serious technology
provider then its needs to stop treating DOD users as a bunch of
individuals and instead look at DOD as the largest IT user in the world - by
a very large margin. MS learned this, why can't Apple.
Some things Apple needs to address:
1) Enterprise customers should not have to provide a credit card number to
get a laptop fixed. Most DOD users don't even have access to a government
purchase card and it would be illegal to use their personal credit card.
None of the other tier 1 vendors have this requirement.
2) Enterprise customers should not have to send their laptop in BEFORE a
replacement units arrives. When my Lenovo, Fujitsu, Dell, HP, Acer laptops
break - they diagnosis on phone, if replacement is warranted then they send
it to me BEFORE I send my broken one back so I have a chance to copy off my
files.
3) Enterprise customers don't like surprises. They want to know where their
technology provider is going to be in 6, 12, 18, 24, 36 months... Government
moves slowly and and frequently has long lead times on equipment purchases,
long and complicated testing/qualification events for new s/w & h/w, and
even longer life cycle replacement periods (for example ships cycle out
equipment every 3-5 YEARS!). Enterprise customers want to know that they can
reliably get item X or widget Y for some period of time longer than 12
months. Apple really needs to rethink how it shares enterprise technology
(laptops, desktops, servers, storage - not the consumer stuff like appletv,
ipod,iphone ) roadmap with enterprise customers.
boyd
On 5/30/07 5:48 PM, "Timothy J. Miller" <email@hidden> wrote:
> On May 30, 2007, at 4:09 PM, Mike Jackson wrote:
>
>> Then followed the FF instructions from above. FF now recognizes the
>> CAC/Reader. Inserted the card, clicked the "Log In" button on the
>> "Device Manager" Dialog, entered my PIN and it seemed to like it. I
>> then closed all those dialogs, and then wen to https://
>> webmail.afmc.af.mil/Exchange at which point FF asked me to select a
>> cert (I selected my identity) and I get the 401 error. I tied again
>> with my email cert and I get the 403 error.
>
> 403 is forbidden, which in HTTP means your authentication was
> accepted but you don't have permission. This sounds like something
> funky on the server side to me. This *could* be a trust problem;
> you'll want to make sure you have all the DoD CAs installed *in
> Firefox*. (FF doesn't use the Keychain.)
>
>> Tried again with Safari but still get the 401 error.
>
> 401 means unauthorized, which in HTTP means the server didn't accept
> your authentication (heaven forbid HTTP error codes should use authN
> and authZ the way the *rest of the planet* does). This is as
> expected as for Safari to work you need to re-LEAP with the ID cert.
>
> -- Tim
>
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden