[SmartcardServices-Users] Question from a New Person Testing Smart Cards

Will Coleman will.coleman at centrify.com
Tue Feb 22 14:54:01 PST 2011


Hi All,

Thanks for putting this board together, it's extremely helpful.

I have a question with an implementation I'm struggling with.  I've setup a single server with both a CA / AD and DC configured.  I am testing smartcards from JITC (Government Issues SmartCards) for a company that provides software for corporations that would like to use Active Directory for identity management on Macintosh.  The crux of our solution allows users to be provisioned in Active Directory and then have the ability to login using those credentials into their Macs.

My test environment is setup properly and I am able to successfully login via a windows machine using the Gov't issued smartcard into my local Active Directory instance (separately, I'm able to login using my Mac with an Active Directory supplied username and password).  However, there is a small problem, the govt issued smartcards themselves seem to have "two identities", one is a "NT Principle Name ID" (I believe) and the other is a PIV credential (with several additional numbers following the NT Principle Name.

The default sign-on credential is the PIV and in windows you can switch to another identity and successfully login to the Windows machine.  If you want to get an idea of what I'm talking about – take a look at these set of pictures I've posted on photobucket (I've scrubbed them of specific ID's)

Here is the album with the three photos that are annotated – I think this will make much more sense for everyone.  Hopefully everyone understands photobucket.

http://s1097.photobucket.com/albums/g355/wqcoleman/Smart%20Card%20Login%20Options%20and%20Problems/

Macintosh unfortunately picks the default credential, in this case, PIV, which means I am unable to login using the smartcard – since I can't provision the ID in AD to work – I get a "credentials cannot be verified when I try to login using the PIN".  I have the advantage of selected the proper credentials in Windows 7, but again, Mac does not allow this and I'm sure there is some configuration in either Mac, Active Directory or somewhere that will either 1) force the credentials that is working for login (see picture with the NT Principle Name) or 2) allow me to provision the PIV credential into AD and allow for the user to login?

Please accept my apologies for not using the proper nomenclature, I'm learning this as fast as I can and it's been a crash course in smartcards, certs, etc..

Thanks in advance for any help,
--
William Q. Coleman
Centrify Corporation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20110222/aa02154b/attachment.html>


More information about the SmartcardServices-Users mailing list