TOM KEMP'S CENTRIFY BLOG

Strong Authentication for the Mac

Monday, November 17, 2008

Recently we announced that our Centrify DirectControl 4.2 for Mac OS X has been enhanced to add smart card-based login to Active Directory for single sign-on to Windows-integrated services and applications. Centrify leverages the PKI infrastructure provided by Apple and works with both Common Access Cards (CAC) and Personal Identity Verification (PIV) cards as well as with other cards that support the Apple TokenD interface such as the .NET smart card from Gemalto. With this capability, government agencies and other organizations can use smart cards for interactive login from the Mac to all services in the organization whose access is controlled from Active Directory, not just the local computer.

In this blog post I am going to drill down in more detail on why customers (especially in the Federal government) should leverage strong authentication for the Mac and how our solution works in this regard. Special thanks to David McNeely for helping me with the content in this post.

Strong authentication Mac login to Active Directory?

You know that you can ask any user about identity management and what they tell you is that it is a pain to keep up with all the identities that they have for login to all the applications, servers and web sites that they need to. What they really want in single sign-on so that they can just login with one identity to their desktop and then never be asked for a user ID or password as they access other applications and servers. Well this kind of single sign-on is one of the primary benefits to end users when we use DirectControl to integrate non-Windows servers, databases, web servers and applications into Active Directory.

While single sign-on is a great thing for end users, security professionals tend to look at this and ask many other questions about the resulting security environment such as: What happens if this one primary password is compromised? What happens if the user is logged in and walks away from their computer? Is there a way to better protect this login identity that provides access to everything that the user is authorized to access?

There are a few precautions that customers can take advantage with DirectControl which are capabilities built into Active Directory to help protect this password. Customers can define a much more stringent password policy that requires for example a mixed alpha and numeric password, or a password that is much longer than the typical 8 characters, or require the user to change the password more often and not allow them to reuse a previously used password. And customers using DirectControl can even force a screen saver to make sure that the computer will lock up after a specific amount of time of inactivity, although there is always that window of time between a user leaving their computer and when the screen saver starts.

In order to provide a much stronger level of security without making the end user's access to the system more difficult while still provide them simplified login and single sign-on, many organizations including the US Department of Defense as well as all Federal Agencies have embraced using smart cards for user login as a strong authentication solution. With a smart card, the user simply inserts a smart card (something they have to have with them) and types a PIN (something they know) to gain access and SSO to other services and applications. There are certainly other forms of strong authentication that might be used, however there are several advantages of using smart cards that led them to adopt this technology.

First, the smart card is a highly secure authentication system which is designed around Public Key cryptography (PKI) to ensure that the authentication process using this device can be trusted, e.g. there is not way to spoof the user or server and no way to break in the middle of an authentication session or obtain the user's credentials. The user simply inserts the device into a reader and types his Personal Identification Number (PIN) or Passphrase to unlock the card so that it can be used during the user authentication process. This process of unlocking the card can also be accomplished with biometrics for the really secure environments since a cardholder must always be physically present in order to use the card unlike a card protected with a PIN, but not all systems support biometric card unlock.

Second, since the smart card is a credit card sized device according to ISO standards, it is usually used as the Company photo identification badge which means that the user must keep it with them at all times. This really helps to enforce a desire of the security team to require the user to remove the smart card from the computer when they leave their desk or computer. But this might not always be done since it is only an ID badge and many employees might feel like it isn't really required when moving within a building or between cubicles.

Third, most large smart card deployments are a combined effort between both IT security and physical security thus resulting in a common access card which provides building access, photo identification as well as computer access. Once you combine building access with the computer access card, you can now be assured that the user will be compelled to take their card with them in order to get in and out of doors. Btw, have you noticed that the rest rooms are typically outside the offices or secured area? This is done mainly to provide visitors access to rest rooms but it also ensures that employees keep their cards with them when they leave their desk since they will need the card to get back into their office which ensures the computer will be locked when they are away.

DirectControl's smartcard support for the Mac

Now that you have a better understanding of what a smart card is and why they are one of the best solutions for strong authentication, let's look at how we use it to login to a computer and what we've done with DirectControl to support smart card login on the Mac. As you can imagine, the smart card login process will require a card reader to be attached to the computer and software that understands how it works in order to assist with the login process. Microsoft has added all the necessary smart card technology within both Windows and Active Directory in order to support smart card-based user login. A smart card login starts the same way as a normal login however at the login screen the user will insert their smart card into the reader and the dialog will change to prompt for a PIN vs. Password and once the user types the PIN to unlock the card the Windows GINA will use the card for a PKI certificate based authentication, which is one of only 2 ways that Active Directory allows authentication. This PKI authentication is called a pkinit operation.

While this sounds simple there are many things happening behind the scenes to validate the card in order to prove that the card is trusted and still valid. In order to prove that the card is valid there are a couple of checks that the Active Directory Domain Controllers perform such as

1. checking the user's certificate to make sure it was signed by one of the Trusted Certificate Authorities to prove that it was created by a trusted authority, which in a large organization may be several layers deep creating a chain of trusted Certificate Authorities,
2. checking that the user's certificate has not expired and that it has not been revoked by checking to make sure the Certificate is not published in either the Certificate Revocation List (CRL) or Online Certificate Status Protocol Server (OCSP Server), and
3. that the certificate was in fact issued to the user trying to login to the system.

Once all these checks have been performed the Domain Controller will issue a Kerberos Ticket Granting Ticket (TGT) and encrypt it with the user's public key which is in their Certificate in order to protect it in transit back to the user where it must then be decrypted by the smart card where the corresponding private key is held. At this point the user has been logged into Active Directory via smart card and now has a Kerberos TGT to be used to gain SSO to other Applications and Servers.

Now you may have heard that OS X supports smart card login, and while that is true it will support smart card login to the system, it is not capable of authenticating a user via smart card to Active Directory. Apple has provided much of the software that is required to communicate with the smart card as well as the user interface necessary to prompt the user for a PIN when a smart card is present. Additionally, many Apple applications can use the smart card's certificates via the Keychain application and APIs to perform encryption and signing operations as needed for SSL based user authentication to Web Sites or S/MIME email signing and encryption operations, but it does not support Active Directory login since it does not support the pkinit operation.

Since we have many customers who use Macs within higher security environments where smart card login is required, we've added several features to DirectControl for OS X in order to support smart card login to Active Directory. The fundamental challenge is to add the necessary pkinit function to support an online user login to Active Directory just like a Windows workstation. For online logins using pkinit, the Domain Controllers will do all certificate validation such as the signing certificate authority chain verification to ensure the card is real and can be trusted as well as the CRL or OCSP verification to prove that the card is still valid. However, if the user needs to login to the workstation when it is offline, DirectControl and the OS X smart card software need to validate the card while offline. In order to support offline smart card login, DirectControl uses Group Policy to make sure that the Mac is configured to trust the same Trusted Certificate Authorities that the Active Directory Domain Controllers trust by copying them into the local System Keychain.

Certainly smart card based authentication can be confusing for administrators due the more complex authentication requirements, however they do provide a much higher level of security enabling strong multi-factor authentication of end users both online and offline to their computer and other applications. DirectControl is designed to simplify the integration into Active Directory for UNIX, Linux and Mac systems as well as to enable smart card login to AD for Mac users. We've tested several smart cards such as the US DOD Common Access Card (CAC) as well as the newer Homeland Security Presidential Directive 12 (HSPD-12) mandated Personal Identity Verification (PIV) cards. We've also tested cards and middleware (basically smart card drivers) from other vendors such as Gemalto's .NET cards and ActivIdentity's ActivClient for OS X middleware. As long as the smart card provider has a corresponding tokend middleware for the card and it's card profile, DirectControl should be able to use it for Active Directory if has been personalized with a user certificate and properly configured for login on a Windows computer.

If you need smart card login for your OS X system and you have a CAC, PIV or .NET card give us a call and we'd be happy to help get you an eval of DirectControl. If you'd like more information on smart card login and don't have smart cards deployed within your company yet, give us a call and we can explain further what you'd need.

Again many thanks to David McNeely for help on this blog post!

< Previous Article: How DirectAuthorize Compares to sudo for Root Access Control
> Next Article: Centrify LISA Presentation on Integrating Linux with Microsoft Active Directory