Re: [Fed-Talk] Air Force Webmail - CAC access
Re: [Fed-Talk] Air Force Webmail - CAC access
- Subject: Re: [Fed-Talk] Air Force Webmail - CAC access
- From: "Timothy J. Miller" <email@hidden>
- Date: Fri, 11 May 2007 14:52:53 -0500
Matthew Smith wrote:
I'm a Client Support Administrator (CSA) for the Air Force and due
to recent security changes in the Air Force, our webmail now requires a
CAC to get in from home. We have instructions and software for Windows
users, and my responsibility is to make some instructions for Mac
users.
See:
http://images.apple.com/server/pdfs/Smart_Card_Setup_Guide.pdf
and
https://afpki.lackland.af.mil/html/kbsearchdetail.asp?id=360
(You'll need to access the site from work.)
I'd dump both of those readers. OS X works best with CCID compliant
readers but Cherry hasn't supported CCID in any of its readers as far as
I know and SCM has pretty much dropped support for the SCR301. I prefer
the SCR331 (with firmware 5.18 or later, can only be updated on Windows)
myself, though I have an SRC3310 on order.
With the right reader all you have to do is plug it in. :)
Once you get a working reader, be aware that you'll need to install the
*second* DoD PKI root CA certificate in X509Anchors, and the new sub-CAs
(11-18) in either the X509Certificates keychain or your login keychain.
At some point the new DoD root will be pre-installed (just like the
old one is), but AFAIK this hasn't happened yet.
Also be aware that to work best with AF CAC-enabled OWA, you'll need to
run LEAP on your user account again and ensure that you authenticate to
LEAP with your ID certificate (the one issued from a CA that *doesn't*
have "EMAIL" in the name). If you want to do it the hard way, you can
add your ID cert issuer and subject DNs to the altSecurityIdentities
attribute of your AD account.
If you still can't get Safari to authN to OWA, Firefox will work. The
FF extension the second article points to works like a champ for me (I
wrote the KB article). FF will throw up a bunch of error dialogs when
installing the certs, but they can be ignored.
The ways I've tried to check to see if the card (Gemplus GXP3 64V2N)
works are to look at the keychain lists (nothing) and to open up the
Common Access Card Viewer 2.1 application from Apple.
Don't bother. When it's working in 10.4 you'll see the CAC show up in
Keychain Access.
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden