On Dec 29, 2008, at 1:50 PM, Timothy J. Miller wrote:
Shawn A. Geddis wrote:
I emphasized *Authentication* .... same I have said for a couple years now...
"Authentication" < > "SSO" (for those not familiar, SSO is Single Sign-On)
And it's as much splitting hairs now as it was then. :)
The reference to "Authentication" < > "SSO" is not splitting hairs. This is a true statement regardless of platform. Authentication is a single instance of proving who or what you are. SSO is a method of access control that enables a user to log in once and gain access to the resources of multiple software systems without being prompted to authenticate again. So, SSO relies on Authentication, but they are not the same.
I will agree that MS AD popularized the thinking that they are the same, but alas they are not.
AD is an Apple-supported directory service. Authentication to AD requires Kerberos.
Well actually, AD allows for multiple authentication mechanisms (depending on versions of course):
- LAN Manager
- NTLM
- NTLMv2
- Kerberos
I would agree that in several US Federal environments, it would be requiring Kerberos by policy.
Kerberos with smartcards requires PKINIT.
Correct. PKINIT enables the use of Public Key Cryptography for Client Authentication to Kerberos.
PKINIT isn't supported in OS X's version of MIT Kerberos.
Not Correct. Every copy of Mac OS X 10.5.x has a "Local KDC" (LKDC)which is MIT Kerberos for Mac OS X that does indeed support PKINIT. The "Local KDC" (LKDC) is managed by the OS for the purpose (right now) of BTMM - Back-To-My-Mac Service. Here again is not a splitting of hairs....
"LKDC w/ PKINIT" < > "Login w/PKINIT"
Therefore smartcards aren't integrated into *every* supported directory service under OS X.
You can *Authenticate* to Every Directory Service supported on Mac OS X by using one of the following two methods for associating a Smart Card to an Account. It will still require the DS record to have the corresponding required info as well as the successful unlock of the corresponding Smart Card. These methods are unique to Mac OS X for Smart Card *Authentication*.
- PubKeyHash
- Attribute Matching
The fact that authentication via AD as a directory service also nets you a ticket you can use to authenticate to other network services (thus, SSO) is immaterial to that chain of logic.
This is the core benefit and purpose of SSO and why it exists to begin with. I believe your point is that until Apple provides PKINIT for SSO to AD for Smart Cards that it is not usable for you regardless of the ability to *Authenticate* with a Smart Card to AD.