Re: [Fed-Talk] Filevault 2 and AdmitMAC/PKI
Re: [Fed-Talk] Filevault 2 and AdmitMAC/PKI
- Subject: Re: [Fed-Talk] Filevault 2 and AdmitMAC/PKI
- From: "Trouton, Rich R" <email@hidden>
- Date: Thu, 05 Dec 2013 14:22:01 +0000
- Thread-topic: [Fed-Talk] Filevault 2 and AdmitMAC/PKI
One thing that may help here is to disable automatic login for FileVault 2. Apple has a KBase article on how to do this on Mavericks:
http://support.apple.com/kb/HT5989
In this case, "automatic login" refers to logging in at the FileVault 2 login window and automatically being passed into the account. By disabling automatic login, you log in at the FileVault 2 pre-boot login and then stop at the OS login window to log in again. At that point, the Thursby software should be running so you can log in with your CAC card if that's desired.
If you need to do this on 10.8.x, you need to edit /etc/authorization:
To do this:
Find the "system.login.console" array.
Find the "mechanisms" array within this.
Remove the line "<string>builtin:forward-login,privileged</string>".
Save and reboot.
Link: https://groups.google.com/forum/?fromgroups=#!topic/munki-dev/Djf5PTQtsDQ (see the 10-14-2012 message in the thread.)
With regards to enterprise encryption management for Macs, what WinMagic is doing is part of a larger trend. Most vendors I know of in the Mac encryption space are dropping their own encryption product in favor of using Apple's fdesetup tool to manage FileVault 2.
Thanks,
Rich
On Dec 5, 2013, at 9:05 AM, "Robinson, Paul, DVI/DMA-Fort Meade" <email@hidden> wrote:
> I think there's confusion here. We do require CAC login. However, I am not aware of a requirement to use CAC for unlocking the hardware, which is the FV2 login. Since FV2 does not support CAC we opted to use U/P just for that step, but once past that we require CAC. But CAC login won't work, we are only able to get in using U/P, and even that is difficult.
>
> I'm told by the AD admin that they don't believe KERBEROS is the problem, they say that would come later in the login process. So we continue to troubleshoot, with the help of Thursby.
>
> And the staff is working on the purchase of WinMagic to replace FV2. That said we have to use the non-enterprise version of WinMagic. I spoke with a rep from that company and their plan is to only use FV in the future. Apple changes the OS too often for them to be able to keep up AND remain competitive, so they are giving up and just interfacing using FV2.
>
> If it wasn't worth it I'd pull the plug on the Apple systems, but it is definitely worth having, aside from my boss being unwilling to take no for an answer. :-)
>
> Paul
>
> From: Taylor Armstrong - NOAA Affiliate <email@hidden<mailto:email@hidden>>
> Date: Tuesday, December 3, 2013 5:30 PM
> To: Paul Robinson <email@hidden<mailto:email@hidden>>
> Cc: "Vargas, Juan DMA-Fort Meade" <email@hidden<mailto:email@hidden>>, "email@hidden<mailto:email@hidden>" <email@hidden<mailto:email@hidden>>
> Subject: Re: [Fed-Talk] Filevault 2 and AdmitMAC/PKI
>
> Thanks Paul - we require CAC-enforced (no passwords) so haven't been able to go that route - that was my confusion.
>
> If you're not requiring CAC for AD login - could you try (just to identify the issue) either using the Apple AD plugin, or downloading Centrify's free plugin? Neither will let you use CAC, but that should pinpoint whether the issue is AdmitMac, and give you some leverage with Thursby's support team, or let them off the hook.
>
> Good luck!
>
>
> Taylor Armstrong
> Macintosh Administrator
> SID / NOS IMD
> 1305 East West Hwy Rm 9424
> Silver Spring, MD 20910
> email@hidden<mailto:email@hidden>
>
>
> On Tue, Dec 3, 2013 at 4:42 PM, Robinson, Paul, DVI/DMA-Fort Meade <email@hidden<mailto:email@hidden>> wrote:
> We authenticate to FV2 with username/password. Then AdmitMac PKI is invoked on boot up to enable CAC login. But neither CAC login nor U/P login to the network work as expected, we have to wait at least 6 minutes, sometimes ten minutes, to have the login attempt be successful.
>
> Some research indicates that the KERBEROS ticket is expired as a result of FV2, I suspect some kind of bug. The Apple solution suggests using terminal to invoke kinit, which would generate a new KERBEROS ticket. But since we're not logged in that's not possible. :-)
>
> Active Directory logs show the login attempts, but they are refused. I don't have additional data as to why they were refused (such as an expired KERBEROS ticket).
>
> Strangely the workstation will come up if we take it off the network, attempt the login then click anywhere on the login screen (it's just sitting with a spinning pointer). But we're not logged into the network, so network access is limited to internet access.
>
> Once we're logged in normally (after waiting for an extended period) we can log off and log on normally, the above only happens on a restart, or startup from shutdown. Domain administrators do NOT have these issues on this workstation.
>
> Paul Robinson
> DIMOC Systems Officer
>
> From: Taylor Armstrong - NOAA Affiliate <email@hidden<mailto:email@hidden><mailto:email@hidden<mailto:email@hidden>>>
> Date: Tuesday, December 3, 2013 1:59 PM
> To: "Vargas, Juan DMA-Fort Meade" <email@hidden<mailto:email@hidden><mailto:email@hidden<mailto:email@hidden>>>
> Cc: "email@hidden<mailto:email@hidden><mailto:email@hidden<mailto:email@hidden>>" <email@hidden<mailto:email@hidden><mailto:email@hidden<mailto:email@hidden>>>
> Subject: Re: [Fed-Talk] Filevault 2 and AdmitMAC/PKI
>
> Can you expand on "issues"? I don't know how you would authenticate at all with FV2 and PKI/CAC, since the FV2 boot environment doesn't support USB for the card readers....
>
>
>
> Taylor Armstrong
> Macintosh Administrator
> SID / NOS IMD
> 1305 East West Hwy Rm 9424
> Silver Spring, MD 20910
> email@hidden<mailto:email@hidden><mailto:email@hidden<mailto:email@hidden>>
>
>
> On Tue, Dec 3, 2013 at 10:23 AM, Vargas, Juan DMA-Fort Meade <email@hidden<mailto:email@hidden><mailto:email@hidden<mailto:email@hidden>>> wrote:
> New here and not sure if this topic has been presented before. Our organization has issues with logging in OSX 10.8 when file vault 2 is enabled in conjunction with AdmitMAC/PKI. Scouring the internet and it seems to be an inherit issue with file vault 2 but just wondering if anybody has discovered any fixes.
>
> -Juan
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden<mailto:email@hidden><mailto:email@hidden<mailto:email@hidden>>)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden<mailto:email@hidden><mailto:email@hidden<mailto:email@hidden>>
>
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
---
Rich Trouton
email@hidden
JFRC Help Desk
phone: x4030
email: email@hidden
The best way to get in touch with me is through email.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden