From: Timothy J Miller <email@hidden>
Date: Wed, 2 Apr 2008 15:39:59 -0500
To: carlos <email@hidden>
Cc: <email@hidden>
Subject: Re: [Fed-Talk] Another CAC on NERP Question
On Apr 2, 2008, at 2:59 PM, carlos wrote:
I was told that CAC login on NERP should work. I've had no success
so far so
I created a new user and tried again with the same result:
The website "xx.xx.navy.mil" did not accept the certificate
"VELAZQUEZ.CARLOS.A.1234567890"
This website requires a certificate to validate your identity.
Select the
certificate to use when you connect to this website, then click
Continue.
It then lists two certificates.
This sounds like a cert selection issue.
Safari, by default, will select the first cert on the CAC for
authentication. On 99.9% of CACs, this is the ID cert. Some web
applications are expecting to see your email address or AD UPN in the
cert. These are only in your email signing cert.
There are a couple of things you can try:
- Run LEAP if it's installed in your domain. LEAP takes your ID cert
and populates a number of AD attributes based on it. One of these can
be used by Microsoft's IIS webserver to determine which account is
tied to your ID cert. If NERP is based on an AD backend--and that
backend is in the same domain as your account--this may fix the
issue. You'll need to run LEAP every time you get a new CAC.
- You can set an identity preference. An ID pref tells Safari to use
a particular cert for a particular site. On Leopard, open Keychain
Access, insert your CAC, select the CAC and select your email signing
certificate. (You can tell which is which only by opening the cert
and looking at the details. The email signing cert has your email
address *and* your NT Principal Name under the Subject Alternative
Name extension.) Right click on the email signing cert and select
"New Identity Preference..." Set a name and a URL for the site.
You'll need to update this preference when you get a new CAC.
(Note on Tiger, you need a tool to set an ID pref. Shawn Geddis has
posted one to this list before, but my copy is on my backup disk at
home at the moment.)
- You can install a package from Thursby Software that puts in their
CAC tokend and a PrefPane that allows you to suppress the ID
certificate. This will cause Safari to pick the email signing cert.
While simple, you need the PrefPane and tokend, and you won't be able
to use the ID cert anywhere, even if you want to, without turning the
suppression off.
- You can use CAC-enabled Firefox and set the cert selection behavior
to "Ast me every time." This gets a little annoying, but will
generally work. However, current versions of Firefox are ...
unstable ... with Apple's PKCS#11 module. Red Hat's Coolkey is
better, but still squirrelly.
I then added all my DoD certs to the keychain. Still no joy.
You don't need to do this.
Overall, not a single site that uses the CAC to login, not just
authentication, have not worked (MacOS 10.4.11, ADmitMac for CAC). No
problem with OWC for NMCI.
Anyone has this working?
I don't have access to NERP, but I have OWA working fine. Since the
OWA servers reside in my domain, I did the LEAP option so my ID cert
will work. I've also set ID preferences for a couple of other sites.
-- Tim