Re: [Fed-Talk] PIV-II usage on Macs
Re: [Fed-Talk] PIV-II usage on Macs
- Subject: Re: [Fed-Talk] PIV-II usage on Macs
- From: David McNeely <email@hidden>
- Date: Thu, 12 Feb 2009 13:30:18 -0800
Alternatively, You could install DirectControl for Mac along with
ActivIdentity's robust PIV middleware, join Active Directory and then
you have PIV login to AD providing both PKI certs and Kerberos Tickets
for SSO to most services.
Part of the join process and smartcard enablement with DirectControl
causes the Group Policy enforcement that DirectControl provides to
also import the trusted Root Certificate Authorities setup in Active
Directory to the local Keychain enabling OS X to trust the same CAs
that the AD Domain Controllers and other Windows clients trust.
-David
--
David McNeely
Director of Product Management
Centrify Corporation
+1 (408) 542-7518 office
+1 (408) 910-4203 mobile
email@hidden
www.centrify.com
On Feb 12, 2009, at 2/12/09 1:15 PM, Timothy J. Miller wrote:
Gillett, Thomas J. (CMS/CTR) wrote:
I have been following the “Smart card set up guide” from apple in
an attempt to Set up our Macs (10.5.6) for PIV-II access. In
order to Enable the smart card login I have edited the /etc/
authorization file as directed. But when a card is inserted the
login window does not change to one requesting a PIN , all accounts
still ask for a user/password. The card reader appears to be
functioning I can read the certs on the card and unlock it from
keychain but inserting the card does not affect login behavior.
Any Ideas?
Undo all that. That was for older versions. All you need to do is:
$ sc_auth hash
This lists the certs on the card and their hashes.
$ sudo sc_auth accept -u username -h hashvalue
And you're done.
If anyone knows how to make FileVault play nice with a smartcard
enabled account, I'd like to know.
-- Tim
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden