I have not spent much time on this since Snow Leopard, when I got this working with PKINIT/Kerberos. So my first question is whether you merely want the card accepted, or if you want the whole package with single-sign-on to Windows services? In either case it's probably a matter of getting all the attributes and AD permissions set properly. I might be able to help if you capture/send me some network traffic and/or detailed log files, but that ought to be off-list. On Nov 14, 2013, at 12:57 PM, Yoann Gini <yoann.gini@gmail.com> wrote:
Hi folks,
I’m trying to make SmartCard authentication works against Windows AD without the need of a middleware.
In theory, it should be possible, we only need to configure /etc/cacloginconfig.plist to match the user from the SmartCard.
I’ve set this config file really simply:
<key>fields</key> <array> <string>NT Principal Name</string> </array> <key>formatString</key> <string>$1</string> <key>dsAttributeString</key> <string>dsAttrTypeNative:userPrincipalName</string>
And when I insert the card on the login window, I got the good user.
However, and I don’t know why, the authentication isn’t accepted. The PIN field shake just like if my PIN code was wrong (it’s not the case).
I’ve setup a TCP wiretap between the client and the Windows Server and when I hit enter, I see a network traffic asking LDAP and MS GC requests (with the good UPN inside).
My thought is the requirements to validate authentication aren’t here. But I don’t know the requirements.
Does someone know how /etc/cacloginconfig.plist based authentication is supposed to work? What’s are the authentication steps and what should be set on the AD to handle cert based authentication.
Best regards, Yoann._______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
Personal email. hbhotz@oxy.edu