Pkinit support

The Thursby solution is addon software. It is under my impression the MacOS specifically Snow Leopard had this builtin. But from my experience Apple claims that Kerberos is also builtin. However you don't get SSO (single-signon) in packages like Safari, screen lock, and AFP unless you use Mac's OpenDirectory and Kerberos or their competitors similiar product ActiveDirectory. My guess is unlike Linux, Mac went down the Microsoft path with SSO, and the only way for it to work is with their infrastructure. Too bad, Kerberos infrastructures have been around a long time, and some groups have been using it for years for SSO with enhancements for One Time Passcodes AND smartcards.

Thanks for your help.

Actually I did watch the video and from that video confirmed that PKINIT was supported. However the video also talked about Kerberos and how Macs implementation uses Local KDCs (LKDC) and Macs OpenDirectory, which appears to provide an Enterprise realm like Kerberos service like Active Directory. He never did talk about cross realm trust between the LKDCs and how one would set that up.

My guess is Macs PKINIT requires Macs OpenDirectory for KDC certificates and user certificates. Its a shame that Apple keeps the details of their deployment of PKINIT a secret. At least Microsoft published its early deployment through an infromational RFC.