Re: [Fed-Talk] Problems with Keychain/AF WebMail/CAC
Re: [Fed-Talk] Problems with Keychain/AF WebMail/CAC
- Subject: Re: [Fed-Talk] Problems with Keychain/AF WebMail/CAC
- From: "Timothy J. Miller" <email@hidden>
- Date: Tue, 22 May 2007 11:08:18 -0500
Mike Jackson wrote:
Lately I have been having trouble logging into the AFMC webmail server
using my CAC card. Most of the time anymore I simply get the
"Unauthorized" page displayed.
Check with your CSAs and ask if they deployed LEAP. If they did, have
them force your account to run the LEAP script again. When that
happens, be sure to register your *ID* certificate rather than your
email signing certificate.
What's happening here is Safari is sending the server your ID cert,
which the server is rejecting. But since the server is (IMHO,
incorrectly) sending back an HTTP error (the "unauthorized" page) rather
than an SSL error, Safari is not seeing the rejection correctly and
selecting a different certificate.
Re-running LEAP is one workaround.[1] Another workaround is the bits
Paul Nelson posted that suppress the ID cert, so Safari auto-selects the
email signing cert. I lost the link but it's in the fed-talk archives
somewhere.
-- Tim
[1] What LEAP does is runs a login script that sends you to an internal
website where CAC authentication is required. This website takes the
cert you authenticate with and writes a number of attributes to your AD
user object. One of these attributes is called altSecurityIdentities
with the issuer and subject names from the cert. IIS (like the OWA
front-end server) will use this attribute to aid mapping certs to user
accounts for authorization. See:
http://www.microsoft.com/technet/security/guidance/identitymanagement/idmanage/P3Extran_5.mspx
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden