Re: [Fed-Talk] Active Directory / PIV / HSPD-12
Re: [Fed-Talk] Active Directory / PIV / HSPD-12
- Subject: Re: [Fed-Talk] Active Directory / PIV / HSPD-12
- From: Ruben Brochner <email@hidden>
- Date: Wed, 30 Mar 2011 12:23:52 -0400
I have seen products from Centrify and Thursby deployed within the Federal government to supply smart card single sign-on to Active Directory:
http://www.centrify.com/directcontrol/mac_os_x.asp
http://www.Thursby.com/
I have been told (but I have not actually seen) that Likewise and Quest have or will have smart card support for Active Directory integration with Mac OS X:
http://www.likewise.com/
http://www.quest.com/authentication-services/
With regard to the document linked by Tim, please see this post:
http://lists.apple.com/archives/fed-talk/2011/Jan/msg00012.html
- Ruben
On Mar 30, 2011, at 9:09 AM, Miller, Timothy J. wrote:
> On Mar 30, 2011, at 7:38 AM, Rowe, Walter wrote:
>
>> Does anyone have OS X working with USAccess (PIV) cards against an Active Directory domain? I can bind an individual PIV card to an individual user on an individual OS X system using directory service commands. For an AD user logging into OS X, the mobile account has to be created on the OS X client before binding the PIV certificate to the user.
>
> That doesn't sound like PKINIT at all. That sounds like using the smartcard binding for local logon (via sc_auth). Once the local session is up, do you have your Kerberos tickets? If not, you really didn't do an AD logon; you did a local logon to a cached account.
>
>> Can OS X query AD directly for the PIV certs and creds? Will OS X honor CRLs? What are others doing on OS X clients to meet HSPD-12?
>
> See here:
>
> http://lists.apple.com/attachments/pdfALciALxPDv.pdf
>
> I haven't actually done this (yet).
>
> -- T
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden