Re: [Fed-Talk] Fed-talk Digest, Vol 13, Issue 33
Re: [Fed-Talk] Fed-talk Digest, Vol 13, Issue 33
- Subject: Re: [Fed-Talk] Fed-talk Digest, Vol 13, Issue 33
- From: John Daly <email@hidden>
- Date: Fri, 01 Jul 2016 13:19:19 -0700
I'm not at all sure how to make it work with AD. I only have Open Directory.
For standalone and Open Directory, it sounds like you've done the right stuff.
At that stage, what I usually check is to verify that the Smart card certificates show up in the system keychain, and that they are valid. If not valid, they will not work.
For the screensaver stuff,
defaults write com.apple.screensaver tokenRemovalAction 1
For each user on the system.
From the mind of me
> On Jul 1, 2016, at 12:00 PM, email@hidden wrote:
>
> Send Fed-talk mailing list submissions to
> email@hidden
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.apple.com/mailman/listinfo/fed-talk
> or, via email, send a message with subject or body 'help' to
> email@hidden
>
> You can reach the person managing the list at
> email@hidden
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Fed-talk digest..."
>
>
> Today's Topics:
>
> 1. How to enable smartcard logon & screensaver unlock?
> (Blumenthal, Uri - 0553 - MITLL)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 01 Jul 2016 01:47:59 +0000
> From: "Blumenthal, Uri - 0553 - MITLL" <email@hidden>
> To: Fed Talk <email@hidden>
> Subject: [Fed-Talk] How to enable smartcard logon & screensaver
> unlock?
> Message-ID: <email@hidden>
> Content-Type: text/plain; charset="utf-8"
>
> This problem is two-fold.
>
> 1. How to enable smartcard logon (and screensaver unlock) on a standalone (aka not a member of an Active Directory domain) Mac running the latest El Capitan?
>
> 2. Same as above, but the Mac is a member of an AD domain, and it's current password-based logon is authenticated against AD.
>
> I prefer to resolve (1) first. This Mac has PKCS#11 library and working tokend installed, as indicated by Apple Mail, MS Outlook, Safari, and Keychain Access. They all work with smartcard OK (tested and verified S/MIME and Web authentication).
>
> I did "sudo security authorizationdb smartcard enable" and "sudo sc-auth accept -u <user> -h <pubkeyhash>". <pubkeyhash> was of the key in the slot 9A (PIV Authentication). "sc-auth list -u <user>" showed that hash.
>
> So far everything looks fine, but login prompt doesn't change to PIN entry when the card is inserted, and neither does the screensaver unlock prompt.
>
> Would appreciate any guidance. Also, would like to learn if any additional steps are needed to enable logon, and what extra stuff should be done for the AD case (there I want to use UPN for the directory mapping).
>
> Thanks!
>
> Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.apple.com/mailman/private/fed-talk/attachments/20160701/f03227f6/attachment-0001.html>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 4350 bytes
> Desc: not available
> URL: <https://lists.apple.com/mailman/private/fed-talk/attachments/20160701/f03227f6/attachment-0001.bin>
>
> ------------------------------
>
> _______________________________________________
> Fed-talk mailing list
> email@hidden
> https://lists.apple.com/mailman/listinfo/fed-talk
>
> End of Fed-talk Digest, Vol 13, Issue 33
> ****************************************
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden