FileVault plus Smart Card Login

Similar Messages

• Smart card login

  Hi Guys,
  I have just enabled smart card login to my mac but want to disable the password login option (i.e. I can login with smart card but if I don't plugin the card reader/card, I am prompted for password login). How can I enforce smart card only login?
  Many Thanks
  Michael

  Are you getting all user icons, plus the smartcard icon, or just the smartcard icon and "Other..." ?
  If the latter, then disable root user (which displays the "Other..." prompt on the login window, even if smartcards login is enabled).

• Smart card login and sparsebundle password

  Hi,
  I am using a PIV profiled card to login to my mac. I am using Snow Leopard 10.6.2 and have successfully used the card to login to the machine and do signed and encrypted emails. Every login I get prompted after smart card login for the password for my sparsebundle (I had been using filevault prior to introducing the card) and even though I tick the "save password" option I still am prompted on each login. Does anyone know if there is any way to associate my smartcard login with an existing sparsebundle? Also, is there any way to force the machine to use a smart card login only (i.e. remove the password option)?
  Many thanks
  Michael

  I'm guessing that since you are not entering a password, the sparse bundle is not being unlocked. I don't know of a way to tie it to the smart card login. It sounds similar to when you put a different password on your default keychain. It won't unlock on login because you are not entering its password.

• Cisco ISE Guest portal - smart card login

  Does anyone know if Cisco ISE support smart card login to the guest portal page?                    

  No it doesn't, you can test the same , while editing the wireless SSID profile, opting authentication method as smart card other than PEAP/EAP.

• TACACS+ and Smart Card login

  We are currently using Cisco ACS 5.3 integrated with Active Directory for authentication to our Cisco devices. We are looking to move to smart card logins and trying to find out if this is possible to authenticate to the console/ssh on the router/switch using a smart card.

  Direct Smart card authentication is not supported for vty / console session on IOS. However, via TACACS to a AAA server (e.g. Cisco ACS) you can turn it to use a two factor-based external authentication store. Even if the Smart card get the PKI cert of some kind to the client PC and then to the terminal emulator like Putty or SecureCRT, AAA with Tacacs + would not be possible as Tacacs is not capable for encapsulating any kind of PKI.
  Jatin Katyal
  - Do rate helpful posts -

• How to configure smart card login in sunray 2fs??

  Hi all,
  Please help me to configure smart card login using Sun Ray Server Software 4.0... How to assign a smart card for a particular user? Do I need to flash th smart card for user information or any other method exists?

  I'm not sure what you know or don't know about this so I'll give you what I know:
  1. Create a token reader and a token
  * Plugin a Sun Ray DTU/client
  * Check the MAC address of the Sun Ray you just plugged in
  * Access the Sun Ray admin GUI
  * Choose the 'Desktop Units' tab
  * See if your Sun Ray DTU is listed (if it isn't listed you have Sun Ray Server configuration issues...)
  * If it is listed click the identifier
  * Check the status of the DTU to see if this particular unit is already a token reader (normally it is not, i.e. by default a Sun Ray DTU is not)
  * Click 'Edit'
  * Check 'Token Reader'
  * Click 'OK'
  * /opt/SUNWut/sbin/utrestart (I'm not sure if a warm restart is OK or a hard restart is necessary)
  Now insert a shiny new Java card into your token reader's slot
  * In the Sun Ray admin GUI choose the 'Tokens' tab
  * Search for currently used tokens
  * You should see a token identifier such as 'Payflex.blah' under your desktop unit (i.e. the token reader)
  * Click the token identifier and click 'Edit'
  * Assign a username (i.e. Unix username) to the token under 'Owner'
  * Click 'OK' and remove the smart card from the token reader
  2. Assign the Token
  * Insert your smart card from step 1 into the token reader
  * In the Sun Ray GUI click 'Tokens' and 'New'
  * Under 'Identifier' you should see 'Read Identifier from Token Reader' checked
  * Click 'Read Token'
  * Assign an owner (i.e. Unix user account) and a session type (Kiosk or Regular)
  * Click 'OK'
  Item 2 from the notes I used for this looks alot like item 1 so I can't say that it is strictly necessary.
  I don't have a Sun Ray Server accessible to me at the moment to confirm but this procedure should help I hope.

• Smart Card login for ordinary folk

  Hi,
  I used to use the OpenSC project for Smart Card login, but I believe that with changes in OS X 10.8 it's no longer an option.
  What affordable solutions are there for genuine Smart Card login for OS X 10.8?  YubiKey doesn't support anything more than entering a static password pre-stored on the device, and when I last tried Rohos it was abysmal.

  I'm guessing that since you are not entering a password, the sparse bundle is not being unlocked. I don't know of a way to tie it to the smart card login. It sounds similar to when you put a different password on your default keychain. It won't unlock on login because you are not entering its password.

• Disabling normal login and only using smart card login?

  I've managed to setup login using BELPIC (Belgian Identity Card (smart card). However I can still login using username/password. Is it possible to restrict the system only using smart card login? (maybe via tweaking the authorize file?)
  Thanks

  The problem isn't with the provider part of the code - it has to do with security privleges. Java code running from the command line has full access to the file-system. Servlets running inside a container do not.
  In order to access cryptographic keystores, the JVM must allow the servlet code to access local files (and through them, the device drivers to the crypto token). Servlet code running inside a web/application server container, by design, are restricted in their ability to access local files on the servlet container machine (other than configuration files and application code under the servlet context root).
  In order to continue with my project, I had to temporarily provide the servlet full access to the machine's file-system in the java.policy file for your JVM, along the lines of the following:
  grant {
  permission java.security.SecurityPermission "authProvider.SunPKCS11-NSS", "getSignerPrivateKey";
  I hope to go back and restrict this access so that only the specific security grants are available to the servlet to access the private key (the above is too lenient).
  You will need to do something similar to your JVM's java.policy to allow the servlet to access the private key. Substitute the "authProvider.SunPKCS11-NSS" with the driver for your own token.

• Smart Card login screen authentication

  Apple don't seem to have updated their documentation on this subject since way back in the Mac OS X Tiger days!
  I would like to have a setup where a user can walk up to a Mac (which is at the login screen), wave an RFID card over a reader connected to that Mac and be able to then login to that Mac. If it is necessary for a PIN/Password to also be entered that might be acceptable. Similarly if the screensaver activates during their login session, waving their RFID card again over the reader should unlock the screensaver.
  An alternative scenerio would be a Mac with a guest login account enabled, and then wanting to use the same card reader to authenticate when requested to a proxy server in order to gain network access.
  The cards to make it clear would be RFID based, not magstripe or chip-and-pin. There are suitable USB readers like this one
  http://www.ers-online.co.uk/o5651/cardman5021-cl-omnikey-omnikey-5021-cl-contact less-smart-card-reader

  Hi Robert Gauthney,
  Could you offer more information about your issue, I found a similar scenario with your issue, if it meet your environment please refer the following KB to fix it, if it not
  meet your scenario please offer us more information such as the error screenshot or related Windows event information:
  Smart card authentication does not work when you use VDI and RD Gateway for RDC client in Windows 7 or in Windows Server 2008 R2
  http://support.microsoft.com/kb/2548538/EN-US
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Issues regarding Smart Card login inside domain and on SmartPhones

  Hi
  i am planning to implemnt at my domain login ONLY with smartcard
  i saw i have some option how to do it , one with GPO that covers all the computers (or some computers with defined groups)
  or i can check the "smart card is  required ...." this could be the easy way but when i check this  box
  the users with the smartphones no longer can authenticate with it to get emails , also the OWA is not availble for them
  is there any solution so the users will have to login with smartcard and still get the emails to the smartphones ?
  thanks
  TK

  Hi Robert Gauthney,
  Could you offer more information about your issue, I found a similar scenario with your issue, if it meet your environment please refer the following KB to fix it, if it not
  meet your scenario please offer us more information such as the error screenshot or related Windows event information:
  Smart card authentication does not work when you use VDI and RD Gateway for RDC client in Windows 7 or in Windows Server 2008 R2
  http://support.microsoft.com/kb/2548538/EN-US
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Windows 7 Smart Card Logon

  Hi,
  Testing PKI with Windows 7 x64 under a (otherwise) working public key infrastructure (Windows 2008 CA) using Smart Card certificates based on V2 templates. I've enrolled an AD user successfully with a smartcard and validating the cert it looks all ok (via certutil -scinfo). For all intents and purposes the smart card appears ok but when I try to logon with the user and the smartcard inserted in the machine, I get the following error message:
  "The system could not log you on. You cannot use a smart card to log on because smart card login is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization."
  Kind of weird message :-/ The smart card reader is in-built on a Dell E6400 ATG... the smart card itself is a Gemalto .NET based card. I've validated that the cert is correctly written to the card via the netsolutions site at Gemalto ... Windows 7 reads the smart card and the user ID correctly from the GUI Logon screen ... it's only when I enter the PIN and it attempts to logon do I get the above message....
  Is there anything "special" I need to do in Windows 7 or in group policy to enable smart card support?? This has worked fine in the past on XP....
  Both the smart card service and the certificate propogation service are running...
  Regards,
  Mylo

  Stigh,
  OK..... I've got it working with Windows 7 on the 6400 together with the Mobile Internet Broadband using domain-based interactive logon.... so the pressures off at least at this end :-)
  "I actually disagree."
  I can see you're healthy motivated to fix the problem.. which is good :-)
  "As long as there is a EKU in the certificate, it should work for local logon."
  Agreed (kind of).. although in your case the common name (the username) is the key identifier for logon purposes..  a UPN in this case is moot as there is no domain to speak of.... I'm assuming the Smart Card Login OID is present in your certificate template together with Client Authentication, and that the purpose is set to "Signature and Smartcard Logon".. I'm working with V2 templates at the mo...
  "In GPedit, under Computer Configuration-Windows Components-Smart Card there are policies to disable certain paramters. I need to read more on those.
  In my case I haven't tweaked any settings via GPO... to resolve the problem described earlier I ended adding the AMT HECI driver for the chipset and the Broadcom drivers from the Connection Manager packs.... I suspect it was the latter that was the problem. Again I haven't installed any Dell Connection Manager software so I'm relying purely on drivers.
  "Btw; Dell SmartCard is not available for shopping in Norway where I'm located; so I can not enroll any cards through Controlpoint/Wave manager. My Gemalto.NET card is purchased from a local store"
  The Gemalto drivers from Windows 7 RTM worked ok for me.
  "The reason for using the laptop as stand alone outside domain is that it's "never" connected locally to any wired network, and there is no reason for it to be a member of the domain.
  OK, but here's where I disagree :-) .. the machine in question will need to connect back to your Enterprise CA certificate distribution point (CDP) to check that the certificate is valid. That's part of basic PKI functionality to ensure certificates are valid. In your case, you'll need an HTTP-based CDP reachable from the local machine, i.e. reachable over a LAN or over the Internet from the "stand-alone" machine, as default LDAP CDP's are meaningless as your client is not domain-joined. Otherwise, you'll need to turn off certificate revokation on the local machine completely, which is diluting security even further. 
  "Its only connecting through RDP and for Outlook (Exchange 2007). Here I use the certificate for RDP logon and for signing/encrypting emails."
  I was slight confused here.. so you don't intend to use the smartcard for local logon? If this is the case this is a workable scenario. You can use a smartcard from a non-domain joined machine to connect for RDP logon. S/MIME is also possible from Outlook, but YMMV as you may run into trust issues when sending encrypted mails to parties that don't trust your CA. Again, bear in mind the comments made earlier about the CDP... the "stand-alone" machine will still need to "connect" back to the CA to access the CDP/AIA, plus you'll have to do certificate renewals etc.
  On a parting note, you need to be clear about why you really need to use smart cards (in this scenario). You're working outside the normal working conventions of Windows with a non-domain joined machine and the pay-off in this case is negligible. I'm not trying to dissuade you from continuing but it's likely to be an uphill struggle.
  Good luck and post back if you want to discuss further!
  Regards,
  Mylo

• Authenticate to the Domain using a Smart Card

  Hi,
  I'm trying to get authenticated using the Smart Card but got the following error messages:
  On the Windows XP client, we inserted the PIV card, entered the PIN but received an error message “The system could not log you on.  The server authenticating you reported an error (0xC00000BB).”
  On the Windows 7 client, we received an error message “The system could not log you on.  You cannot use a smart card to log on because smart card logon is not supported for your user account.”
  Here is our environment:
  -          Domain:  Windows 2008 R2
  -          Client:  Windows XP SP3 and Windows 7
  -          Smart Card:  USAccess issued PIV card
  -          Care Reader:  SCR3310
  -          Middleware:  ActiveClient
  Here is what I have already done:
  -          Imported the following Entrust certificates from http://sspweb.managed.entrust.com/EMSPKIFSSPCACertificateInformation.html into the Domain under the Trusted Root Certification Authorities
  o   Common Policy CA Certificate
  o   Common Policy to EMSPKI trust certificate
  o   Federal Root CA Expires 06/01/2012
  o   Federal SSP CA Expires 05/31/2012
  o   Federal Root CA Expires 05/09/2019
  o   Federal SSP CA Expires 05/08/2019
  -          Added the certificates to the NTAuth store in the Domain
  -          Posted Domain controller certificate (issued by NIST internal CA) in the NTAuth store
  -          Updated my UPN on the domain to match with the Subject Alternative Name on the card “[email protected]”
  -          Domain policy pushed down the Entrust certificates and Domain Controller certificate to the client computer
  -          Made PIV Card certificates available to the Windows via ActiveClient middleware
  Am I missing some steps or configuration? 
  Thank you,

  To solve one of the issues related to:
  "The system could not log you on. You cannot use a smart card to log on because smart card login is not supported for your user account. Contact
  your system administrator to ensure that smart card logon is configured for your organization."
  On the client side.
  Ensure that the Certificate is assigned the Client Authentication function.
  You can do this on Internet Explorer:
  Tools -> Internet Options -> Content -> Certificates
  Then select the certificate
  Click the ‘Advanced’ button, this opens the Advanced Options dialog box.
  Under ‘Certificate purposes:’ box check:
  |X| Client Authentication

• SCCM 2012 SP1 Remote Control Smart Card Support?

  Hi,
  We're currently running SCCM 2012 SP1.  We have implemented mandatory smart card login on our Win 7 workstations using GPO.  Is it correct to say that SCCM's Remote Control Viewer does not support passing of smart card credentials through the session? 
  Our testing thus far would indicate that it does not.  This is problematic for our help desk that often uses the Remote Viewer to connect to end user machines and then elevate rights to perform admin level tasks.  So far the only way we have developed
  to work around it is to run a script that temporarily changes the GPO to remove the smart card enforcement requirement.  Is there a better way to address this issue?
  Thanks
  Josh

  Just to add to Wally's comments, there's actually no way this will ever happen without significant investments and development time (if it's possible at all) and it's really not anything that the ConfigMgr product group could implement as it has to with
  authentication which is handled by the OS. Passing smart card credentials across the network is inherently flawed and poses a huge security risk. When this was discussed internally at Microsoft, the security teams there said they could easily hack any mechanism
  that tried to do this and compromise the credentials.
  The recommendation from Microsoft is to use local admin accounts on workstations for elevation. This goes for *any* type of remote control (including remote desktop btw) because the same security weakness exists regardless of the remote tool being used.
  Jason | http://blog.configmgrftw.com

• How to configure Firefox to use cert from smart card reader on Sun Ray 3 Plus

  I have a Sun Ray 3 Plus configured so the user needs a smart card to login (CAC card) and bring up a Java Desktop on the Sun Ray Server (Solaris 10 SPARC).
  Now I am trying to get Firefox to read the certificate from the smart card reader but not sure how to go about doing that.
  From searching online, it seems like I have to load a module in Firefox:
  Edit -> Preferences -> Certificates -> Security Devices
  But what file do I load? I'm assuming it is a file that's part of the SUNWut package?

  I try to test bumblebee with:
  optirun glxgears
  but I get this error:
  Xlib: extension "GLX" missing on display ":8".
  Error: couldn't get an RGB, Double-buffered visual

• Security-Kerberos Event ID 9 - Smart Card not working for Login due to CRL download failure

  We have 8 computers that users were able to login with a Smart Card on one day. The next day they couldn't. Everyone else can login with a Smart Card without issue. These users can login with their smart card on other systems without issue. No users can
  login on the affected computers with a SmartID.
  In all cases, users can login on affected computers with their user ID and password.
  All traces on the domain controllers indicate the smart card PKI cert was validated by OCSP and the Kerberos session ticket was passed back to the client.
  However the client can't download the CRL from the CRL server for validation during login and always reports the CRL server is unavailable.
  Using CertUtil, you can validate manually the DC cert and the CRL will download from CRL server.  You can also hit the HTTP site for the CRL download and manually download the CRL.  All this once logged in using user id and password.
  You can't unlock the computer with a Smart card or login with a smart card.
  Packet trace indicates Kerberos session properly negotiated with workstation and DC. 
  Everything fails once client workstation can't download CRL during login.
  Any suggestions on where to look next?
  We have reloaded Activclient smart card validation software.  Still no effect on issue. 
  Smart card is readable once user is logged in, via Activclient, and Windows recognizes certs on smart card when inserted for login.
  Problem occurs during CRL download only, so login or any type of validation fails.

  Got it.
  So try to do what i suggested, exclude the CRL downloaded on Friday and try to rebuild it.
  Check it here:
  To resolve this issue:
  Delete the domain controller certificate that is no longer valid.
  Request a new certificate.
  To perform these procedures, you must be a member of the Domain
  Admins group, or you must have been delegated the appropriate authority.
  Delete the domain controller certificate that is no longer valid
  To delete the domain controller certificate that is no longer valid:
  On the domain controller, click Start, and then click
  Run.
  Type mmc.exe, and then press ENTER.
  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
  Continue.
  Click File, and then click Add/Remove Snap-in.
  Click Certificates, and then click Add.
  Click Computer account, click Next, and then click
  Finish.
  Click OK to open the Certificates snap-in.
  Expand Certificates (Local computer), expand Personal, and then click
  Certificates.
  Right-click the old domain controller certificate, and then click Delete.
  Click Yes, confirming that you want to delete the certificate.
  After the certificate is deleted, follow the procedure in the "Request a new certificate" section.
  Request a new certificate
  To request a new certificate:
  Expand Certificates (Local computer),right-click Personal, and then click
  Request New Certificate.
  Complete the appropriate information in the Certificate Enrollment Wizard for a domain controller certificate.
  Close the Certificates snap-in.
  Verify
  To perform this procedure, you must be a member of the Domain
  Admins group, or you must have been delegated the appropriate authority.
  To verify that the Kerberos Key Distribution Center (KDC) certificate is available and working properly:
  Click Start, point to All Programs, click
  Accessories, right-click Command Prompt, and then click
  Run as administrator.
  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
  Continue.
  At the command prompt, type certutil -dcinfo verify, and then press ENTER.
  If you receive a successful verification, the Kerberos KDC certificate is installed and operating correctly.
  Sergio Figueiredo
  Microsoft Certified Solutions Associate