[Fed-Talk] "Authentication" < > "SSO"
[Fed-Talk] "Authentication" < > "SSO"
- Subject: [Fed-Talk] "Authentication" < > "SSO"
- From: "Shawn A. Geddis" <email@hidden>
- Date: Mon, 29 Dec 2008 12:57:03 -0500
On Dec 29, 2008, at 9:56 AM, Timothy J. Miller wrote:
Shawn A. Geddis wrote:
For your benefit and for many new subscribers to this list, let's
review a few things here:
6. Smart Cards Services are fully integrated for the following use:
1. Login - */Authentication/* to ANY Directory Service
supported by Mac OS X
Whoa, hold on a minute there Shawn--are you claiming PKINIT to AD
now? That wasn't on the list for *any* of the 10.5.* updates I've
ever seen and you *know* how long I've been beating you about the
head and shoulders about that.
-- Tim
Tim,
I emphasized *Authentication* .... same I have said for a couple
years now...
"Authentication" < > "SSO" (for those not familiar, SSO is Single
Sign-On)
I did not say Mac OS X 10.5.x provides "SSO to AD" which would indeed
require PKINIT. As you pointed out, PKINIT is not part of any of the
Mac OS X 10.5.x updates released. PKINIT would also transparently
acquire the Kerberos TGT (Ticket Granting Ticket) for subsequent
automatic acquisition of Service Tickets all without re-authenticating.
Authentication to ANY Directory Service (supported by Mac OS X) can
take place with a supported Smart Card which solves the need for those
not needing "SSO to a DS using a Smart Card".
- Shawn
_____________________________________________________
Shawn Geddis - Security Consulting Engineer - Apple Enterprise
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden