Re: [Fed-Talk] Re: Require smart card login
Re: [Fed-Talk] Re: Require smart card login
- Subject: Re: [Fed-Talk] Re: Require smart card login
- From: Paul Nelson <email@hidden>
- Date: Wed, 13 Oct 2010 13:00:12 -0500
You probably are not configured to verify the user's smart card credentials with AD. The Mac only matches the user account, and checks the certs to see if they are trusted.
If you want true AD login with single sign-on, you could check out Thursby's ADmitMac PKI. This software obtains Kerberos credentials using a PIV card, and will configure itself using group policy so that you can enforce smart card logon that way. It also configures your system keychain with necessary certificates from Active Directory and group policy.
Paul Nelson
Thursby Software Systems, Inc.
On Oct 13, 2010, at 12:14 PM, Inati, Souheil (NIH/NIMH) [E] wrote:
> These machines are bound to the NIH active directory and I only care about domain users for now. I haven't had to use sc_auth, the AD lookup based on the card credentials has been working fine.
>
>
> On Oct 13, 2010, at 12:51 PM, Qureshi, Usman wrote:
>
>> Have you tried using the sc_auth command? Is the user a domain user or a
>> local user?
>>
>> -----Original Message-----
>> From: fed-talk-bounces+usman.qureshi=email@hidden
>> [mailto:fed-talk-bounces+usman.qureshi=email@hidden] On Behalf
>> Of Inati, Souheil (NIH/NIMH) [E]
>> Sent: Wednesday, October 13, 2010 12:15 PM
>> To: email@hidden
>> Subject: [Fed-Talk] Require smart card login
>>
>> Hi all,
>>
>> Does anyone know the right way to set up /etc/authorization so that users
>> are REQUIRED to use a smart card?
>> A Snow Leopard 10.6 only solution is sufficient.
>>
>> Thanks,
>> Souheil
>>
>> --
>> Souheil Inati, PhD
>> Staff Scientist
>> Functional MRI Facility
>> NIMH/NIH
>> email@hidden
>> 301-402-9409
>>
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden