[Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 354
[Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 354
- Subject: [Fed-Talk] Re: Fed-talk Digest, Vol 5, Issue 354
- From: "Adams, Walter CTR CNIC HQ, N61" <email@hidden>
- Date: Mon, 29 Dec 2008 15:33:21 -0500
- Thread-topic: Fed-talk Digest, Vol 5, Issue 354
Tim,
I am kind of on the fence on this one.
A SSO would be nice, but the fact that it does not exist currently allows
Entourage to support mimicking OWA access to an Exchange server - which is
great.
I suspect that if the Mac was fully integrated with AD Microsoft would make
Entourage work like Outlook does, which means that if you are not part of
the AD and AD access is integrated you would not be able to use Entourage as
it is today.
For our group that would mean we would have to use PC's for CAC enabled
access to our enterprise email... ;-(...
Somewhere between the "law of unintended consequences"; and "be careful with
what you wish for"...
Happy Holidays!
Walter
On 12/29/08 3:04 PM, "email@hidden"
<email@hidden> wrote:
> Send Fed-talk mailing list submissions to
> email@hidden
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.apple.com/mailman/listinfo/fed-talk
> or, via email, send a message with subject or body 'help' to
> email@hidden
>
> You can reach the person managing the list at
> email@hidden
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Fed-talk digest..."
>
>
> Today's Topics:
>
> 1. Re: SCR331 *still* not working 10.5.6 (Timothy J. Miller)
> 2. "Authentication" < > "SSO" (Shawn A. Geddis)
> 3. Re: "Authentication" < > "SSO" (Timothy J. Miller)
> 4. Re: Re: "Authentication" < > "SSO" (skyman375)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 29 Dec 2008 08:56:44 -0600
> From: "Timothy J. Miller" <email@hidden>
> Subject: Re: [Fed-Talk] SCR331 *still* not working 10.5.6
> To: "Shawn A. Geddis" <email@hidden>
> Cc: "email@hidden" <email@hidden>
> Message-ID: <email@hidden>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Shawn A. Geddis wrote:
>
>> For your benefit and for many new subscribers to this list, let's review
>> a few things here:
>
>> 6. Smart Cards Services are fully integrated for the following use:
>> 1. Login - */Authentication/* to ANY Directory Service
>> supported by Mac OS X
>
> Whoa, hold on a minute there Shawn--are you claiming PKINIT to AD now?
> That wasn't on the list for *any* of the 10.5.* updates I've ever seen
> and you *know* how long I've been beating you about the head and
> shoulders about that.
>
> -- Tim
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 3492 bytes
> Desc: S/MIME Cryptographic Signature
> Url :
> http://lists.apple.com/mailman/private/fed-talk/attachments/20081229/f8badf24/
> smime-0001.bin
>
> ------------------------------
>
> Message: 2
> Date: Mon, 29 Dec 2008 12:57:03 -0500
> From: "Shawn A. Geddis" <email@hidden>
> Subject: [Fed-Talk] "Authentication" < > "SSO"
> To: Timothy J.Miller <email@hidden>
> Cc: Fed Talk <email@hidden>
> Message-ID: <email@hidden>
> Content-Type: text/plain; charset="us-ascii"
>
> On Dec 29, 2008, at 9:56 AM, Timothy J. Miller wrote:
>> Shawn A. Geddis wrote:
>>
>>> For your benefit and for many new subscribers to this list, let's
>>> review a few things here:
>>
>>> 6. Smart Cards Services are fully integrated for the following use:
>>> 1. Login - */Authentication/* to ANY Directory Service
>>> supported by Mac OS X
>>
>> Whoa, hold on a minute there Shawn--are you claiming PKINIT to AD
>> now? That wasn't on the list for *any* of the 10.5.* updates I've
>> ever seen and you *know* how long I've been beating you about the
>> head and shoulders about that.
>>
>> -- Tim
>
> Tim,
>
> I emphasized *Authentication* .... same I have said for a couple
> years now...
>
> "Authentication" < > "SSO" (for those not familiar, SSO is Single
> Sign-On)
>
> I did not say Mac OS X 10.5.x provides "SSO to AD" which would indeed
> require PKINIT. As you pointed out, PKINIT is not part of any of the
> Mac OS X 10.5.x updates released. PKINIT would also transparently
> acquire the Kerberos TGT (Ticket Granting Ticket) for subsequent
> automatic acquisition of Service Tickets all without re-authenticating.
>
> Authentication to ANY Directory Service (supported by Mac OS X) can
> take place with a supported Smart Card which solves the need for those
> not needing "SSO to a DS using a Smart Card".
>
> - Shawn
> _____________________________________________________
> Shawn Geddis - Security Consulting Engineer - Apple Enterprise
>
>
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 3864 bytes
> Desc: not available
> Url :
> http://lists.apple.com/mailman/private/fed-talk/attachments/20081229/1f9fc682/
> smime-0001.bin
>
> ------------------------------
>
> Message: 3
> Date: Mon, 29 Dec 2008 12:50:05 -0600
> From: "Timothy J. Miller" <email@hidden>
> Subject: [Fed-Talk] Re: "Authentication" < > "SSO"
> To: "Shawn A. Geddis" <email@hidden>
> Cc: Fed Talk <email@hidden>
> Message-ID: <email@hidden>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Shawn A. Geddis wrote:
>
>> I emphasized *Authentication* .... same I have said for a couple
>> years now...
>>
>> "Authentication" < > "SSO" (for those not familiar, SSO
>> is Single Sign-On)
>
> And it's as much splitting hairs now as it was then. :)
>
> AD is an Apple-supported directory service. Authentication to AD
> requires Kerberos. Kerberos with smartcards requires PKINIT. PKINIT
> isn't supported in OS X's version of MIT Kerberos. Therefore smartcards
> aren't integrated into *every* supported directory service under OS X.
>
> The fact that authentication via AD as a directory service also nets you
> a ticket you can use to authenticate to other network services (thus,
> SSO) is immaterial to that chain of logic.
>
> -- Tim
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 3492 bytes
> Desc: S/MIME Cryptographic Signature
> Url :
> http://lists.apple.com/mailman/private/fed-talk/attachments/20081229/b4888f4e/
> smime-0001.bin
>
> ------------------------------
>
> Message: 4
> Date: Mon, 29 Dec 2008 14:28:11 -0500
> From: skyman375 <email@hidden>
> Subject: Re: [Fed-Talk] Re: "Authentication" < > "SSO"
> To: email@hidden
> Message-ID:
> <email@hidden>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Ok - anybody out there care to translate this a bit?
>
>
> On Mon, Dec 29, 2008 at 13:50, Timothy J. Miller <email@hidden> wrote:
>
>> Shawn A. Geddis wrote:
>>
>> I emphasized *Authentication* .... same I have said for a couple years
>>> now...
>>>
>>> "Authentication" < > "SSO" (for those not familiar, SSO is
>>> Single Sign-On)
>>>
>>
>> And it's as much splitting hairs now as it was then. :)
>>
>> AD is an Apple-supported directory service. Authentication to AD requires
>> Kerberos. Kerberos with smartcards requires PKINIT. PKINIT isn't supported
>> in OS X's version of MIT Kerberos. Therefore smartcards aren't integrated
>> into *every* supported directory service under OS X.
>>
>> The fact that authentication via AD as a directory service also nets you a
>> ticket you can use to authenticate to other network services (thus, SSO) is
>> immaterial to that chain of logic.
>>
>> -- Tim
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.apple.com/mailman/private/fed-talk/attachments/20081229/069865d4/
> attachment-0001.html
>
> ------------------------------
>
> _______________________________________________
> Fed-talk mailing list
> email@hidden
> http://lists.apple.com/mailman/listinfo/fed-talk
>
> End of Fed-talk Digest, Vol 5, Issue 354
> ****************************************
Walter Adams
Program Manager & Chief Architect PSNet
email@hidden
703-518-5527 (Office)
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden