[SmartcardServices-Users] Process behind /etc/cacloginconfig.plist for Windows authentication ?
Yoann Gini
yoann.gini at gmail.com
Thu Nov 14 12:57:59 PST 2013
Hi folks,
I’m trying to make SmartCard authentication works against Windows AD without the need of a middleware.
In theory, it should be possible, we only need to configure /etc/cacloginconfig.plist to match the user from the SmartCard.
I’ve set this config file really simply:
<key>fields</key>
<array>
<string>NT Principal Name</string>
</array>
<key>formatString</key>
<string>$1</string>
<key>dsAttributeString</key>
<string>dsAttrTypeNative:userPrincipalName</string>
And when I insert the card on the login window, I got the good user.
However, and I don’t know why, the authentication isn’t accepted. The PIN field shake just like if my PIN code was wrong (it’s not the case).
I’ve setup a TCP wiretap between the client and the Windows Server and when I hit enter, I see a network traffic asking LDAP and MS GC requests (with the good UPN inside).
My thought is the requirements to validate authentication aren’t here. But I don’t know the requirements.
Does someone know how /etc/cacloginconfig.plist based authentication is supposed to work? What’s are the authentication steps and what should be set on the AD to handle cert based authentication.
Best regards,
Yoann.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4806 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20131114/597930fd/attachment.p7s>
More information about the SmartcardServices-Users
mailing list