Re: [Fed-Talk] Filevault 2 and AdmitMAC/PKI
Re: [Fed-Talk] Filevault 2 and AdmitMAC/PKI
- Subject: Re: [Fed-Talk] Filevault 2 and AdmitMAC/PKI
- From: "Robinson, Paul, DVI/DMA-Fort Meade" <email@hidden>
- Date: Tue, 03 Dec 2013 21:42:25 +0000
- Thread-topic: [Fed-Talk] Filevault 2 and AdmitMAC/PKI
We authenticate to FV2 with username/password. Then AdmitMac PKI is invoked on boot up to enable CAC login. But neither CAC login nor U/P login to the network work as expected, we have to wait at least 6 minutes, sometimes ten minutes, to have the login attempt be successful.
Some research indicates that the KERBEROS ticket is expired as a result of FV2, I suspect some kind of bug. The Apple solution suggests using terminal to invoke kinit, which would generate a new KERBEROS ticket. But since we're not logged in that's not possible. :-)
Active Directory logs show the login attempts, but they are refused. I don't have additional data as to why they were refused (such as an expired KERBEROS ticket).
Strangely the workstation will come up if we take it off the network, attempt the login then click anywhere on the login screen (it's just sitting with a spinning pointer). But we're not logged into the network, so network access is limited to internet access.
Once we're logged in normally (after waiting for an extended period) we can log off and log on normally, the above only happens on a restart, or startup from shutdown. Domain administrators do NOT have these issues on this workstation.
Paul Robinson
DIMOC Systems Officer
From: Taylor Armstrong - NOAA Affiliate <email@hidden<mailto:email@hidden>>
Date: Tuesday, December 3, 2013 1:59 PM
To: "Vargas, Juan DMA-Fort Meade" <email@hidden<mailto:email@hidden>>
Cc: "email@hidden<mailto:email@hidden>" <email@hidden<mailto:email@hidden>>
Subject: Re: [Fed-Talk] Filevault 2 and AdmitMAC/PKI
Can you expand on "issues"? I don't know how you would authenticate at all with FV2 and PKI/CAC, since the FV2 boot environment doesn't support USB for the card readers....
Taylor Armstrong
Macintosh Administrator
SID / NOS IMD
1305 East West Hwy Rm 9424
Silver Spring, MD 20910
email@hidden<mailto:email@hidden>
On Tue, Dec 3, 2013 at 10:23 AM, Vargas, Juan DMA-Fort Meade <email@hidden<mailto:email@hidden>> wrote:
New here and not sure if this topic has been presented before. Our organization has issues with logging in OSX 10.8 when file vault 2 is enabled in conjunction with AdmitMAC/PKI. Scouring the internet and it seems to be an inherit issue with file vault 2 but just wondering if anybody has discovered any fixes.
-Juan
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden<mailto:email@hidden>)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden<mailto:email@hidden>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden