I have not spent much time on this since Snow Leopard, when I got this working with PKINIT/Kerberos. So my first question is whether you merely want the card accepted, or if you want the whole package with single-sign-on to Windows services?

In either case it's probably a matter of getting all the attributes and AD permissions set properly. I might be able to help if you capture/send me some network traffic and/or detailed log files, but that ought to be off-list.

On Nov 14, 2013, at 12:57 PM, Yoann Gini <yoann.gini@gmail.com> wrote:

Hi folks,

I’m trying to make SmartCard authentication works against Windows AD without the need of a middleware.

In theory, it should be possible, we only need to configure /etc/cacloginconfig.plist to match the user from the SmartCard.

I’ve set this config file really simply:

<key>fields</key>
<array>
<string>NT Principal Name</string>
</array>
<key>formatString</key>
<string>$1</string>
<key>dsAttributeString</key>
<string>dsAttrTypeNative:userPrincipalName</string>

And when I insert the card on the login window, I got the good user.

However, and I don’t know why, the authentication isn’t accepted. The PIN field shake just like if my PIN code was wrong (it’s not the case).

I’ve setup a TCP wiretap between the client and the Windows Server and when I hit enter, I see a network traffic asking LDAP and MS GC requests (with the good UPN inside).

My thought is the requirements to validate authentication aren’t here. But I don’t know the requirements.

Does someone know how /etc/cacloginconfig.plist based authentication is supposed to work? What’s are the authentication steps and what should be set on the AD to handle cert based authentication.

Best regards,
Yoann._______________________________________________
SmartcardServices-Users mailing list
SmartcardServices-Users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/smartcardservices-users

Personal email.  hbhotz@oxy.edu