[SmartcardServices-Users] [Fed-Talk] Re: Require smart card login

Miller, Timothy J. tmiller at mitre.org
Thu Oct 14 06:53:22 PDT 2010 

AD's 'Require smartcard for interactive logon' applies only to Kerberos authentications.  Systems and services that accept NTLM authentication will still happily accept a password from a client even when this option is set.

-- Tim

________________________________
From: fed-talk-bounces+tmiller=mitre.org at lists.apple.com [fed-talk-bounces+tmiller=mitre.org at lists.apple.com] On Behalf Of Paul Nelson [nelson at thursby.com]
Sent: Wednesday, October 13, 2010 3:17 PM
To: Shawn A.Geddis
Cc: Qureshi, Usman; Fed Talk; Smart Card Services-Users
Subject: Re: [Fed-Talk] Re: Require smart card login

If the original poster wanted to prevent users from logging into the Mac unless they had a smart card, they could do this the way you suggest below.
However, that may prevent them from using a password with their account for other reasons (run as for example).

While you can set an AD account to "require smartcard login", that prevents a password from being used for ANY purpose.  Microsoft clients also look for a group policy item "ScForceOption" that means a user must use a smartcard for interactive logon.

Paul

On Oct 13, 2010, at 2:59 PM, Shawn A. Geddis wrote:

Paul,

Organizations apply policy such as requiring smart cards by managing their AD.  This is not something that they would do at the client side.  What is managed on the client side would be any necessary mods to support the required authentication methods (ie. manage or install client side middleware such your ADmitMac for CAC).

The Mac would be bound to AD (for Authentication and Authorization) hence if AD requires ONLY Smart Cards then the Mac User would only be able to authenticate via smart cards.  Whether the client system is OS X or Windows the end result is the same --- management of forced authentication methods is at the Directory Service.

- Shawn
_____________________________________________________
Shawn Geddis  -  Security Consulting Engineer  -  Apple Enterprise



On Oct 13, 2010, at 3:24 PM, Paul Nelson wrote:

Shawn,

How does one apply organizational policies such as "smart card required" to the Apple 10.6.3+ PKINIT solution?

Paul

On Oct 13, 2010, at 2:01 PM, Shawn A. Geddis wrote:

Before everyone claims what is and isn't the issue, we need to understand the actual setup that Souheil is using.

Souheil,

There are multiple methods supported for using Smart Cards for Authentication & SSO on Mac OS X 10.6.

What method are you using today ?

Old methods still supported:
- PubKeyHash
- This is a simple Hash matching between card and account
- The user is then presented with a  PIN Challenge which
wraps/unwraps/verifies challenge - uses Private key on Card to prove ownership of card
- uses sc_auth to update the DS with appropriate ";pubkeyhash;" and <hash> entries
- Attribute Matching
- This allows for selective attributes from Smart Card Login Certificate (ie. NT Principal Name)
to be used for mapping to a single DS attribute (ie. UserPrincipalName)
- uses /etc/cacloginconfig.plist mapping to define lookup in DS


Mac OS X 10.6.3+
- PKINIT  (initialization of Kerberos Session [TGT] with Auth from X.509 Cert)
- SSO to Directory Service of choice (ie. AD)
simplified explanation of process
- System Bound to DS (ie. AD)
- Utilizes NT Principal Name along with the Cert with EKU of Smart Card Login ( 1 3 6 1 4 1 311 20 2 2 )
--relies on /etc/cacloginconfig.plist to reference the NTPrincipalName
- Request for Auth to KDC - acquires a TGT
- uses PKINITMechanism configured in /etc/authorization/  for Login and ScreenSaver
- Success: Access to HomeDir and subsequent Service Tickets
- ... life continues ...

Also, copying SmartCardServices-Users Mailing List where this discussion should be taking place

- Shawn
_____________________________________________________
Shawn Geddis  -  Security Consulting Engineer  -  Apple Enterprise


On Oct 13, 2010, at 2:00 PM, Paul Nelson wrote:
You probably are not configured to verify the user's smart card credentials with AD.  The Mac only matches the user account, and checks the certs to see if they are trusted.

If you want true AD login with single sign-on, you could check out Thursby's ADmitMac PKI.  This software obtains Kerberos credentials using a PIV card, and will configure itself using group policy so that you can enforce smart card logon that way.  It also configures your system keychain with necessary certificates from Active Directory and group policy.

Paul Nelson
Thursby Software Systems, Inc.

On Oct 13, 2010, at 12:14 PM, Inati, Souheil (NIH/NIMH) [E] wrote:

These machines are bound to the NIH active directory and I only care about domain users for now.  I haven't had to use sc_auth, the AD lookup based on the card credentials has been working fine.


On Oct 13, 2010, at 12:51 PM, Qureshi, Usman wrote:

Have you tried using the sc_auth command? Is the user a domain user or a
local user?

-----Original Message-----
From: fed-talk-bounces+usman.qureshi=unisys.com at lists.apple.com<mailto:fed-talk-bounces+usman.qureshi=unisys.com at lists.apple.com>
[mailto:fed-talk-bounces+usman.qureshi=unisys.com at lists.apple.com] On Behalf
Of Inati, Souheil (NIH/NIMH) [E]
Sent: Wednesday, October 13, 2010 12:15 PM
To: fed-talk at lists.apple.com<mailto:fed-talk at lists.apple.com>
Subject: [Fed-Talk] Require smart card login

Hi all,

Does anyone know the right way to set up /etc/authorization so that users
are REQUIRED to use a smart card?
A Snow Leopard 10.6 only solution is sufficient.

Thanks,
Souheil

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20101014/5fda2d3f/attachment-0001.html>

More information about the SmartcardServices-Users mailing list