|
A Secure Integration of DOD Common Access Cards (CAC)
ADmitMac for CAC (AFC) securely integrates U.S. Department of Defense Common Access Cards (CAC) with Apple Macintosh computers. AFC provides a single sign-on environment, verifying a CAC against a centralized network authority. AFC obtains Kerberos tickets using CAC certificates, makes these tickets available to “Kerberized” applications, locks the computer upon removal of a CAC, and protects the computer from unauthorized use when it wakes from sleep.
This new version now enables E-mail user access to Exchange using Entourage or OWA without needing passwords. AFC takes care of authentication to Exchange servers.
Security goes far beyond a simple verification of the PIN against the CAC. With AFC, the card itself is challenged to ensure that neither the card nor the privileges granted the user have been revoked. When a CAC is inserted into a Macintosh, AFC changes the normal login screen and challenges the user to enter their CAC PIN authorization. Upon verification of the user’s PIN, AFC then obtains the proper network credentials from the Active Directory.
AFC includes its own PKINIT (Public Key Cryptography for Initial Authentication in Kerberos) that enables this secure integration.
 ADmitMac for CAC v2.0 Software Product Description (PDF)
ADmitMac for CAC v2.0 Executive Summary (PDF)
ADmitMac for CAC JITC Certification (PDF)
ADmitMac for CAC provides the following enhancements over Apple’s standard offering in their Mac OS 10.4 and 10.5 release:
|
ADmitMac for CAC Advantages:
- No passwords needed - single sign-on environment using Kerberos PKINIT. Never requires the use of passwords to login or to mount network volumes
- Adds Exchange/Entourage support for users that don’t have passwords
- Never requires the use of passwords to login or to mount network volumes
- Automatically locks the computer upon removal of the CAC, and when waking from sleep
- Screen-saver integrated with CAC security
- Meets Department of Defense Public Key Infrastructure (PKI) requirements
- Works with custom OCSP Responder configurations
Standard Features:
- Administrators can easily manage Macintosh computers in their Microsoft Windows domain
- Enhanced security including NTLMv2 and SMB Signing
- Provides bidirectional file and printer sharing
- Full support of Dfs Ð Distributed File System
- Integrates with Microsoft’s NTFS file system for storage of both file forks in single file (avoids ._ files)
- Integrates with Apple’s Workgroup Manager to fully support Managed Desktop (MCX) settings with no schema changes
Advanced Features:
- Exchange Gateway to support Entourage users without using passwords.
- Allows for user login with home directories located on the Macintosh client’s local hard disk or on the network
- Automatically configures Macintosh for use with Kerberos
- Fully signed and sealed (encrypted) LDAP connections prevent disclosure of user’s personal information and prevent man-in-the-middle attacks
- Support for bidirectional SMB-signed connections, NTLM SSP, and NTLMv2
- Expired and reset passwords are handled correctly when users log in to the Macintosh desktop
- Caches user credentials for mobile user access when not connected to the network
- Supports browsing for published shares
- Provides access to shared printers by browsing the list of printers published in a domain, or manually
- Kerberos credentials are set up automatically when a user logs in.
- Support for cross-realm trusts with MIT Kerberos. Support for multiple domains within a forest
- Administrators can choose domain search paths for users, groups, published printers and shares to limit searches to specific organizational units
- Administrators can give local administrative privileges to domain members based on username or domain group
- Administrators can give administrative privileges to the user specified as the Macintosh’s manager in the domain computer records
- Supports Mac OS X Server service principal names
- Home directories may be located in a path where the user does not have access to the parent folders
- Administrators can utilize Apple’s Workgroup Manager MCX settings
- ADmitMac Deployment utility creates custom ADmitMac install packages for multi-computer installations
- Dynamic DNS registration support: IP addresses registered with DNS using computer account name
- AD Commander allows administrators to edit Active Directory users and groups from Macintosh
- Logs all security related events related to CAC authentication.
|
Click here to try ADmitMac for CAC!
View the LANDWARNET QuickTime Presentation
Conforms with Microsoft SMB/CIFS standards, including use of TCP port 445, NetBIOS-less communication and to the following RFCs:
RFC 4556 Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
RFC 4120 The Kerberos Network Authentication Service (V5)
RFC 1777 Lightweight Directory Access Protocol (LDAP)
RFC 2743 Generic Security Service Application Program Interface Version 2
RFC 1964 The Kerberos Version 5 GSS-API Mechanism
RFC 2222 Simple Authentication and Security Layer
RFC 3244 Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols
RFC 1001,1002 Protocol standard for a NetBIOS service on a TCP/UDP transport
Department of Defense (DoD) Class 3 Public Key Infrastructure (PKI) Public Key-Enabled Application Requirements, Version 1.0, 13 July 2000
Department of Defense (DoD) Class 3 Public Key Infrastructure (PKI) Interface Specification, Version 1.2 10 August 2000
ADmitMac is a registered trademark of Thursby Software Systems, Inc.
Apple and Macintosh are registered trademarks of Apple Computer, Inc.
All other trademarks are the property of their respective owners.
|
