Re: [Fed-Talk] Active Directory / PIV / HSPD-12
Re: [Fed-Talk] Active Directory / PIV / HSPD-12
- Subject: Re: [Fed-Talk] Active Directory / PIV / HSPD-12
- From: "Miller, Timothy J." <email@hidden>
- Date: Thu, 31 Mar 2011 07:52:36 -0400
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Active Directory / PIV / HSPD-12
A non-forwardable TGT isn't necessarily a big deal, provided you have no deployed systems or applications that rely on delegation.
-- T
On Mar 30, 2011, at 11:23 AM, Ruben Brochner wrote:
> I have seen products from Centrify and Thursby deployed within the Federal government to supply smart card single sign-on to Active Directory:
>
> http://www.centrify.com/directcontrol/mac_os_x.asp
> http://www.Thursby.com/
>
> I have been told (but I have not actually seen) that Likewise and Quest have or will have smart card support for Active Directory integration with Mac OS X:
>
> http://www.likewise.com/
> http://www.quest.com/authentication-services/
>
> With regard to the document linked by Tim, please see this post:
>
> http://lists.apple.com/archives/fed-talk/2011/Jan/msg00012.html
>
> - Ruben
>
>
>
> On Mar 30, 2011, at 9:09 AM, Miller, Timothy J. wrote:
>
>> On Mar 30, 2011, at 7:38 AM, Rowe, Walter wrote:
>>
>>> Does anyone have OS X working with USAccess (PIV) cards against an Active Directory domain? I can bind an individual PIV card to an individual user on an individual OS X system using directory service commands. For an AD user logging into OS X, the mobile account has to be created on the OS X client before binding the PIV certificate to the user.
>>
>> That doesn't sound like PKINIT at all. That sounds like using the smartcard binding for local logon (via sc_auth). Once the local session is up, do you have your Kerberos tickets? If not, you really didn't do an AD logon; you did a local logon to a cached account.
>>
>>> Can OS X query AD directly for the PIV certs and creds? Will OS X honor CRLs? What are others doing on OS X clients to meet HSPD-12?
>>
>> See here:
>>
>> http://lists.apple.com/attachments/pdfALciALxPDv.pdf
>>
>> I haven't actually done this (yet).
>>
>> -- T
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden