[SmartcardServices-Users] Process behind /etc/cacloginconfig.plist for Windows authentication ?
Henry B Hotz
hbhotz at oxy.edu
Thu Nov 14 13:14:42 PST 2013
I have not spent much time on this since Snow Leopard, when I got this working with PKINIT/Kerberos. So my first question is whether you merely want the card accepted, or if you want the whole package with single-sign-on to Windows services?
In either case it's probably a matter of getting all the attributes and AD permissions set properly. I might be able to help if you capture/send me some network traffic and/or detailed log files, but that ought to be off-list.
On Nov 14, 2013, at 12:57 PM, Yoann Gini <yoann.gini at gmail.com> wrote:
> Hi folks,
>
> I’m trying to make SmartCard authentication works against Windows AD without the need of a middleware.
>
> In theory, it should be possible, we only need to configure /etc/cacloginconfig.plist to match the user from the SmartCard.
>
> I’ve set this config file really simply:
>
> <key>fields</key>
> <array>
> <string>NT Principal Name</string>
> </array>
> <key>formatString</key>
> <string>$1</string>
> <key>dsAttributeString</key>
> <string>dsAttrTypeNative:userPrincipalName</string>
>
> And when I insert the card on the login window, I got the good user.
>
> However, and I don’t know why, the authentication isn’t accepted. The PIN field shake just like if my PIN code was wrong (it’s not the case).
>
> I’ve setup a TCP wiretap between the client and the Windows Server and when I hit enter, I see a network traffic asking LDAP and MS GC requests (with the good UPN inside).
>
> My thought is the requirements to validate authentication aren’t here. But I don’t know the requirements.
>
> Does someone know how /etc/cacloginconfig.plist based authentication is supposed to work? What’s are the authentication steps and what should be set on the AD to handle cert based authentication.
>
> Best regards,
> Yoann._______________________________________________
> SmartcardServices-Users mailing list
> SmartcardServices-Users at lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
Personal email. hbhotz at oxy.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20131114/217e7d98/attachment.html>
More information about the SmartcardServices-Users
mailing list