[SmartcardServices-Users] Question from a New Person Testing Smart Cards

[Miller, Timothy J.]

On Feb 23, 2011, at 5:11 PM, Will Coleman wrote:

> However, when I moved over to Mac, it would not log me on with the longer
> string but the shorter string, or just the NT Principal name
> ³2001361506 at mil² and not ³2001361506170084 at mil².

See my previous; this is probably because OS X sees the card as a CAC & automatically selects the email signing cert which only has the shorter UPN.


> How does one map those two names together on one account if it¹s even
> possible?  

The only way to do this is to set the DC to ignore the UPN entirely and use the altSecurityIdentities attribute to map the cert to an account:

http://technet.microsoft.com/en-us/library/ff520074(WS.10).aspx

You can map both cert to the same account, but you'll have to use altSecurityIdentities to do so.  See the Windows Vista Smart Card Infrastructure doc I linked to earlier for more, plus this blog post:

http://blogs.msdn.com/b/spatdsg/archive/2010/06/18/howto-map-a-user-to-a-certificate-via-all-the-methods-available-in-the-altsecurityidentities-attribute.aspx

Bear in mind that this is *not* currently the standard configuration for DoD AD smartcard logon.  You can play with it, and it may someday be deployed in wide use, but for now it's not a supported configuration in any CC/S/A I'm aware of.

-- Tim

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1533 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20110223/7f42bf32/attachment.bin>