|
Allan,
PKINIT in OS X is mostly broken using the kinit tool. I’ve been able to get it working in 10.11, but it requires unlocking the smart card keychain manually, and then passing some long
argument strings. Not the kind of thing I’d like to push onto a user.
So for our site, I wrote a tool to talk to GSSAPI and keychain and handle all the hard parts, and it works back to 10.9 IIRC, though we are only supporting 10.10+ for smart cards on site.
AFAIK, PKINIT at the login window (and screen saver) has the same issues as using kinit, and it doesn’t work in our environment. Are you using an authorization plugin at the login window for smart card enforcement? (NIHPlugin or SmartCardVerify?)
If so, its pretty likely that is what is doing the PKINIT for you, and that code is pretty close to what I’m using in my stand alone tool.
—DH
On Aug 22, 2016, at 10:16 AM, Marcus, Allan B < email@hidden> wrote:
Hello,
We are experimenting with PIV authentication for Macs. I can authenticate with my PIV card, and can break the screen saver. We are binding the Macs to our Active Directory domain. When I log in, I get an adtice directory
issued krb ticket, and I can use that ticket to access Exchange (via outlook) or SharePoint via a browser. Unfortunately, I’ve noticed that if that ticket expires and I then break the screen saver, the ticket cannot be renewed and a new ticket is not issued.
I can use kinit on the CLI to get a new windows domain ticket, but I have to use my hard password.
Is there a way to get a new ticket from the active directory using the PIV card, but not having to log out and log in again?
--
Thanks,
Allan Marcus
Los Alamos National Laboratory
505-667-5666
“The good thing about science is that it's true whether or not you believe in it.” ― Neil deGrasse Tyson
_______________________________________________
Do
not post admin requests to the list. They will be ignored.
Fed-talk
mailing list (email@hidden)
Help/Unsubscribe/Update
your Subscription:
This
email sent to email@hidden
|