[SmartcardServices-Users] Question from a New Person Testing Smart Cards
Will Coleman
will.coleman at centrify.com
Thu Feb 24 13:47:56 PST 2011
Tim - see below:
--
>
>The only way to do this is to set the DC to ignore the UPN entirely and
>use the altSecurityIdentities attribute to map the cert to an account:
>
>http://technet.microsoft.com/en-us/library/ff520074(WS.10).aspx
>
>You can map both cert to the same account, but you'll have to use
>altSecurityIdentities to do so. See the Windows Vista Smart Card
>Infrastructure doc I linked to earlier for more, plus this blog post:
>
>http://blogs.msdn.com/b/spatdsg/archive/2010/06/18/howto-map-a-user-to-a-c
>ertificate-via-all-the-methods-available-in-the-altsecurityidentities-attr
>ibute.aspx
>
>Bear in mind that this is *not* currently the standard configuration for
>DoD AD smartcard logon. You can play with it, and it may someday be
>deployed in wide use, but for now it's not a supported configuration in
>any CC/S/A I'm aware of.
>
>-- Tim
I took a look at this (interesting to be honest, but a hack none the
less), and in many respect we don¹t care if the user setups up their AD
this way, it¹s not up to us. Again, my goal here was to setup a
consistent architecture that would accept both CAC certs on both Mac and
Win7. If I can get a consistently running machine that I can baseline on
the Windows machine and then test eventually on my Mac, I¹m all set.
More information about the SmartcardServices-Users
mailing list