The way that it originally worked. was this. The user would re-enter their login name and password to "E-Sign" in a module. We would check this against AD via CFLDAP and if it was valid the module would be "Signed" The original paper process required a supervisor's signature for approval.
The enterprise is implementing a mandatory PIV card system which does away with the user entering a password. Instead they enter a PIN number, this is never passed to AD it only serves to initialize the PIV card. The Kerberos system generates a password which is changed on a regular basis. The end user never knows what the password is, only the PIN number. On Mon, Jul 28, 2014 at 12:47 PM, Dave Watts <dwa...@figleaf.com> wrote: > > > That's the thing Dave, I'm not sure that this is even possible. The folks > > using PIV cards enter a PIN number at login, and all that does is "wake > up" > > the card, and then the chip on the card handles the rest. > > > > We would somehow have to access the card through the PIV reader and have > > the card ask for a ticket.... I think... and then somehow determine if a > > valid ticket has been created. > > I don't think you'd have to do that. My guess is that once the user > initially logs in, the card is not required for future tickets. The > TGT and any service tickets are stored by the OS (something you can > easily confirm with the klist command: "klist tickets"). > > But again, what exactly are you trying to do? If you're just trying to > see the user's verified identity, why not just read the appropriate > CGI variables that IIS presents? I mean, it sounds like that would be > sufficient for verification of your user in a Kerberos realm. What > would be served here by getting another ticket? > > Dave Watts, CTO, Fig Leaf Software > 1-202-527-9569 > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359020 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
