One Identity has been named as an ASP "Ten Best Web Support Sites" award winner. Learn more.

Authentication Services 4.0.3 - Mac OS X Administrator's Guide

About This Guide Installation The QAS Mac OS X Components Configuring the QAS Client Special Mac OS X Features QAS Limitations on Mac OS X Authentication Services Group Policy for Mac Smart Card for Mac OS X Glossary

Requiring Smart Card for Login

header

There are two ways to ensure that users cannot login without a smart card:

  1. QAS allows you to configure an entire host to require smart cards for login by editing vas.conf. Add the require-smartcard=true option under the [vas_macos] section. You can set this option for multiple machines using group policy vas.conf policy extension.

    -OR-

  2. You can enforce this on user-by-user basis by setting the SmartCard Required For Interactive Login option on each user using Active Directory Users and Computers (ADUC).

This footer is generated during the automated build.


Was this topic helpful?

[Select Rating]



Debugging a Missing PIN Prompt

header

If you insert your card at the login window and wait a few moments, a PIN prompt should display. If it does not, the mostly likely cause may be:

  1. The card is not supported by the TokenD that is currently installed on the system.

    -OR-

  2. You have not properly configured the attribute mapping.

This footer is generated during the automated build.


Was this topic helpful?

[Select Rating]



TokenD Problems

header

If a TokenD is supported you should see the card in the keychain access application represented as a unique keychain item.

If you cannot see your card in the keychain, the problem most likely is that you do not have a TokenD installed on the system that supports the card.

You can find the keychain access application in the applications folder under the "utilities" sub-folder.

This footer is generated during the automated build.


Was this topic helpful?

[Select Rating]



Attribute Mapping Problems

header

If the card is supported by a TokenD on the system, a PIN prompt failure at the login window usually indicates that no configured directory service plug-in recognizes the user on the card.

Make sure that you have properly joined QAS to the Active Directory domain. For example you might conduct some username/password login tests. Then investigate attribute mapping issues. As discussed in the previous section, the attribute mapping is contained in the /etc/cacloginconfig.plist. Validate that this file exists and contains mapping.

The file looks similar to:

<dict>
   <key>dsAttributeString</key>
      <string>dsAttrTypeNative:userPrincipalName</string>
   <key>fields</key>
   <array>
      <string>NT Principal Name</string>
   </array>
   <key>formatString</key>
      <string>$1</string>
      </dict>

QAS supports mapping the Active Directory userPrincipalName attribute to a value or set of values on your smart card. If the default mapping to NT Principal Name is not correct, replace NT Principal Name with an attribute value on your card that matches the Active Directory userPrincipalName of the card user.

To determine the userPrincipalName of a user from the unix/macos command line, run this vastool attrs command:

/opt/quest/bin/vastool –u host/ attrs <username> userPrincipalName

This footer is generated during the automated build.


Was this topic helpful?

[Select Rating]



Related Documents