[Fed-Talk] Re: "Authentication" < > "SSO"
[Fed-Talk] Re: "Authentication" < > "SSO"
- Subject: [Fed-Talk] Re: "Authentication" < > "SSO"
- From: "Timothy J. Miller" <email@hidden>
- Date: Mon, 29 Dec 2008 15:51:12 -0600
Shawn A. Geddis wrote:
AD is an Apple-supported directory service. Authentication to AD
requires Kerberos.
Well actually, AD allows for multiple authentication mechanisms
(depending on versions of course):
* LAN Manager
* NTLM
* NTLMv2
* Kerberos
Um, no. AD only has *one* authentication method: Kerberos. The others
are offered by the specific services themselves as a legacy mode. They
can, in fact, deny those authentication modes.
That said: a service accepting, frex, NTLMv2 may use AD data to support
*authorization*. But that's not authentication.
You can *Authenticate* to Every Directory Service supported on Mac OS X
by using one of the following two methods for associating a Smart Card
to an Account. It will still require the DS record to have the
corresponding required info as well as the successful unlock of the
corresponding Smart Card. These methods are unique to Mac OS X for
Smart Card *Authentication*.
* PubKeyHash
* Attribute Matching
That's authorization, not authentication. This model authenticates an
identity locally (proves the card has the private key to correspond to
the provided certificate), then authorizes that identity using a DS.
This is not the same as authentication using a DS. Authentication with
the DS would validate the identity *at the DS*--e.g., during a Kerberos
AS exchange.
-- Tim
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden