A Secure Integration of DOD Common Access Cards (CAC)
ADmitMac for CAC (AFC) securely integrates U.S. Department of Defense Common Access Cards (CAC) with Apple Macintosh computers. AFC provides a single sign-on environment, verifying a CAC against a centralized network authority. AFC obtains Kerberos tickets using CAC certificates, makes these tickets available to “Kerberized” applications, locks the computer upon removal of a CAC, and protects the computer from unauthorized use when it wakes from sleep.
This new version now enables E-mail user access to Exchange using Entourage or OWA without needing passwords. AFC takes care of authentication to Exchange servers.
Security goes far beyond a simple verification of the PIN against the CAC. With AFC, the card itself is challenged to ensure that neither the card nor the privileges granted the user have been revoked. When a CAC is inserted into a Macintosh, AFC changes the normal login screen and challenges the user to enter their CAC PIN authorization. Upon verification of the user’s PIN, AFC then obtains the proper network credentials from the Active Directory.
AFC includes its own PKINIT (Public Key Cryptography for Initial Authentication in Kerberos) that enables this secure integration.
ADmitMac for CAC v1.1 Software Product Description (PDF)
ADmitMac for CAC v1.1 Executive Summary (PDF)
ADmitMac for CAC JITC Certification (PDF)
ADmitMac for CAC provides the following enhancements over Apple’s standard offering in their Mac OS 10.4 release:
ADmitMac for CAC Advantages:
- No passwords needed - single sign-on environment using Kerberos PKINIT. Never requires the use of passwords to login or to mount network volumes
- Adds Exchange/Entourage support for users that don’t have passwords
- Never requires the use of passwords to login or to mount network volumes
- Automatically locks the computer upon removal of the CAC, and when waking from sleep
- Screen-saver integrated with CAC security
- Meets Department of Defense Public Key Infrastructure (PKI) requirements
- Works with custom OCSP (Online Certificate Status Protocol) Responder configurations
New Features (v1.1):
- A mail proxy for Microsoft Exchange and Entourage is included that allows users without passwords to access their Exchange account. A system preference pane is provided to control the Exchange proxy.
- Users can prevent their identity certificate from being used by applications. This will prevent problems caused when Safari or other web browsers fail to connect to a web server with the identity certificate instead of using the e-mail certificate. A new system preference pane is provided for this purpose.
- A new alternative to the sudo command is provided. CAC users may use sudopk to gain root access if their account is mapped to the local admin group. sudopk verifies that the user has their CAC in a reader before allowing root access.
- CAC certificates are automatically published to Active Directory when a user logs in. This will make the user’s CAC certificates available so they can receive encrypted e-mail.
- The PKINIT application will now display information about the Active Directory user account that matches a CAC. The user account’s published certificates can also be viewed.
- AFC now supports forest wide authentication of users. The Macintosh can be joined to a different domain than the user logging in. User logins from different forests are not supported. However, cross forest trusts are supported for file sharing, web browsing, e-mail and other Kerberized applications.
- Trust points can be managed from a command line using amcacconfig, and graphically using PKINIT.
- You may configure an OCSP responder that will handle all certificate revocation checks. Configuration can be made with amcacconfig or PKINIT.
- You may prevent the CAC screen saver from displaying user information.
- Administrators can easily manage Macintosh computers in their Microsoft Windows domain
- Enhanced security including NTLMv2 and SMB Signing
- Provides bidirectional file and printer sharing
- Full support of Dfs - Distributed File System
- Integrates with Microsoft’s NTFS file system for storage of both file forks in single file (avoids ._ files)
- Integrates with Apple’s Workgroup Manager to fully support Managed Desktop (MCX) settings with no schema changes
- Exchange Gateway to support Entourage users without using passwords.
- Allows for user login with home directories located on the Macintosh client’s local hard disk or on the network
- Automatically configures Macintosh for use with Kerberos
- Fully signed and sealed (encrypted) LDAP connections prevent disclosure of user’s personal information and prevent man-in-the-middle attacks
- Support for bidirectional SMB-signed connections, NTLM SSP, and NTLMv2
- Expired and reset passwords are handled correctly when users log in to the Macintosh desktop
- Caches user credentials for mobile user access when not connected to the network
- Supports browsing for published shares
- Provides access to shared printers by browsing the list of printers published in a domain, or manually
- Kerberos credentials are set up automatically when a user logs in.
- Support for cross-realm trusts with MIT Kerberos. Support for multiple domains within a forest
- Administrators can choose domain search paths for users, groups, published printers and shares to limit searches to specific organizational units
- Administrators can give local administrative privileges to domain members based on username or domain group
- Administrators can give administrative privileges to the user specified as the Macintosh’s manager in the domain computer records
- Supports Mac OS X Server service principal names
- Home directories may be located in a path where the user does not have access to the parent folders
- Administrators can utilize Apple’s Workgroup Manager MCX settings
- ADmitMac Deployment utility creates custom ADmitMac install packages for multi-computer installations
- Dynamic DNS registration support: IP addresses registered with DNS using computer account name
- AD Commander allows administrators to edit Active Directory users and groups from Macintosh
- Logs all security related events related to CAC authentication.
Click here to try ADmitMac for CAC!
View the LANDWARNET QuickTime Presentation
Conforms with Microsoft SMB/CIFS standards, including use of TCP port 445, NetBIOS-less communication and to the following RFCs:
RFC 4556 Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
RFC 4120 The Kerberos Network Authentication Service (V5)
RFC 1777 Lightweight Directory Access Protocol (LDAP)
RFC 2743 Generic Security Service Application Program Interface Version 2
RFC 1964 The Kerberos Version 5 GSS-API Mechanism
RFC 2222 Simple Authentication and Security Layer
RFC 3244 Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols
RFC 1001,1002 Protocol standard for a NetBIOS service on a TCP/UDP transport
Department of Defense (DoD) Class 3 Public Key Infrastructure (PKI) Public Key-Enabled Application Requirements, Version 1.0, 13 July 2000
Department of Defense (DoD) Class 3 Public Key Infrastructure (PKI) Interface Specification, Version 1.2 10 August 2000
ADmitMac is a registered trademark of Thursby Software Systems, Inc.
Apple and Macintosh are registered trademarks of Apple Computer, Inc.
All other trademarks are the property of their respective owners.