RE: [Fed-Talk] PIV-II usage on Macs
RE: [Fed-Talk] PIV-II usage on Macs
- Subject: RE: [Fed-Talk] PIV-II usage on Macs
- From: "Gillett, Thomas J. (CMS/CTR)" <email@hidden>
- Date: Thu, 12 Feb 2009 18:01:26 -0500
- Thread-topic: [Fed-Talk] PIV-II usage on Macs
"Undo all that. That was for older versions. All you need to do is:"
Yes I figured those were old instructions- :)
We are trying to do this with an Active Directory Back end (The mac is a
member of the domain and is authenticating to AD). I believe this method
would use the "attribute Lookup method" not Public key hash since this
is for US Federal PIV cards and also this method seems closer to what we
have already implemented for our windows PC's on the same network.
- It seems that there are two third party options thursby/ centrify but
we are first trying to do this without third party software If possible.
Is it possible
For the macs to use Piv-II cards for authentication without a third
party solution ?( IE: - like in windows)
-----Original Message-----
From: fed-talk-bounces+thomas.gillett=email@hidden
[mailto:fed-talk-bounces+thomas.gillett=email@hidden] On
Behalf Of David McNeely
Sent: Thursday, February 12, 2009 4:30 PM
To: email@hidden
Subject: Re: [Fed-Talk] PIV-II usage on Macs
Alternatively, You could install DirectControl for Mac along with
ActivIdentity's robust PIV middleware, join Active Directory and then
you have PIV login to AD providing both PKI certs and Kerberos Tickets
for SSO to most services.
Part of the join process and smartcard enablement with DirectControl
causes the Group Policy enforcement that DirectControl provides to
also import the trusted Root Certificate Authorities setup in Active
Directory to the local Keychain enabling OS X to trust the same CAs
that the AD Domain Controllers and other Windows clients trust.
-David
--
David McNeely
Director of Product Management
Centrify Corporation
+1 (408) 542-7518 office
+1 (408) 910-4203 mobile
email@hidden
www.centrify.com
On Feb 12, 2009, at 2/12/09 1:15 PM, Timothy J. Miller wrote:
> Gillett, Thomas J. (CMS/CTR) wrote:
>> I have been following the "Smart card set up guide" from apple in
>> an attempt to Set up our Macs (10.5.6) for PIV-II access. In
>> order to Enable the smart card login I have edited the /etc/
>> authorization file as directed. But when a card is inserted the
>> login window does not change to one requesting a PIN , all accounts
>> still ask for a user/password. The card reader appears to be
>> functioning I can read the certs on the card and unlock it from
>> keychain but inserting the card does not affect login behavior.
>> Any Ideas?
>
> Undo all that. That was for older versions. All you need to do is:
>
> $ sc_auth hash
>
> This lists the certs on the card and their hashes.
>
> $ sudo sc_auth accept -u username -h hashvalue
>
> And you're done.
>
> If anyone knows how to make FileVault play nice with a smartcard
> enabled account, I'd like to know.
>
> -- Tim
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
.gov
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden