The Centrify Apple Guys

Over the last two years, Centrify has continually expanded its smart card support for both Red Hat and Macintosh.  Our on-premise solutions support the reading and authentication with many well known existing and new US Military and Civilian smart cards.  This article helps explain those smart card characteristics and our on-going commitment to to the smart card community.

• CACNG / Dual Identity / Dual Persona

This card is called by many different names, from Dual-Persona [1], CACNG, and Dual-Identity. The card supports an on-going Government strategy to have both a Military (CAC) identity and Civilian (PIV) identity for one person.  Hence the name "dual identity" or "dual persona".  

The card has four certificates - CAC Identity, CAC Signing, CAC Encryption, and PIV Authorization. 

Centrify DirectControl for Mac and Centrify Express for Smart Card have supported this type of card since 2011.  In 2012, we upgraded our software so that one smart card driver (CACNG tokend) could read and present all four certificates.  See below for an example. 

Military CAC website [2] mentions Centrify Express as an enabler for Dual Persona cards.  

• Alternate Token Card (a.k.a. Alt-token card)

This is a card given to people who work for government, but do not have official DMDC CAC cards, e.g., contractors or temporary duty station military personnel.

It is similar to the CAC card, but it generally follows a different provisioning and certificate model.  Sometimes an Alt-token card will have one certificate, other times it may have two – depending on the roles assigned. In contrast, a regular CAC smart card will always have three certificates with specific purposes and conventions.

Centrify DirectControl for Mac, Centrify Express for Smart Card, and Centrify DirectControl for Red Hat have supported this smart card type since earlier in 2013. 

• Alternate Identity Smart Card (a.k.a. smart card user name mapping)

The "alternate identity" smart card is unique in how it’s created and provisioned within Active Directory.  This card generally lacks a UPN (User Principal Name), which uniquely identifies the smart card user to Active Directory.  This may be done in an attempt to grant different user privileges to one smart card certificate.  In this way, the user's certificate can be mapped to multiple Active Directory users, creating a convenient mechanism for IT Administrators who don’t want to create multiple smart cards for different user roles.  [3]

Centrify DirectControl for Mac, Centrify Express for Smart Card, and Centrify DirectControl for Red Hat will support this smart card type in the upcoming 2013.2 release of our software, which will be out in June.

• PIV-I (Interoperability)

Lastly, the PIV Interoperability card is often issued by organizations outside the federal government. [4]  From a workstation's perspective, the PIV-I card behaves in the same way as a federal PIV card, which DirectControl for Mac, Express for Smart Card, and DirectControl for Red Hat have supported since 2011.  

Centrify is very proud of our ongoing smart card support.  We continue to expand and support our government and non-government smart card customers with new product features.  Feel free to contact me further if you’d like to learn more about smart cards and Centrify’s software solutions.

[1] "Tactics, Techniques, & Procedures (TTP) – Dual Persona Personal Identity Verification (PIV) Authorization Certificate" http://www.jbmhh.army.mil/WEB/JBMHH/Master%20Files/images/TTP-DualPersonaPIVAuthCert.pdf

[2] Military CAC website: http://militarycac.com/cacenablers.htm

[3] "Mapping One Smartcard Certificate to Multiple Accounts." http://blogs.technet.com/b/askds/archive/2009/08/10/mapping-one-smartcard-certificate-to-multiple-ac...

[4] "Personal Identity Verification Interoperability For Non-Federal Issuers"https://cio.gov/wp-content/uploads/downloads/2012/09/PIV_Interoperabillity_Non-Federal_Issuers_May-2...

Every new software developer who works at Centrify attends a one-hour session with a man named Leo.  Leo, Lead Escalation Engineer, a tall man with a big, booming voice, with bigger personality, would tell the new hires.  "You do your jobs - develop new products and features.  But when I come to you for help, YOU DROP EVERYTHING AND HELP ME, BECAUSE I REPRESENT CUSTOMERS."

Leo signifies The Centrify Way better than anybody else.  We don't put the slogan "Customer Comes First" on the wall.  We live it.  When a customer problem needs attention of developers, it takes higher precedence over everything else we do.  Developers engage in both support and pre-sales activities quite a bit.

The heavy focus on supporting customers may sound challenging for developers, but I think it is great.  We learn so much from customers - real-world problems they face, market trend, and so on.

It also makes the work environment special, when people with different perspectives - customers, sales engineers, support engineers, developers - work together closely to achieve a common goal.  This is the kind of thing that makes my Cava or Sapporo taste better in the evening.

The Centrify Way, combined with our serious commitment to testing, is why we have an excellent customer retention rate of 97%.  

So please don't hesitate to tell us your needs and perspectives.  For example, you can post a comment in this blog or send me e-mail.  We will take it seriously.