Re: [Fed-Talk] Problems with Keychain/AF WebMail/CAC
Re: [Fed-Talk] Problems with Keychain/AF WebMail/CAC
- Subject: Re: [Fed-Talk] Problems with Keychain/AF WebMail/CAC
- From: Mike Jackson <email@hidden>
- Date: Tue, 22 May 2007 12:22:02 -0400
On May 22, 2007, at 12:08 PM, Timothy J. Miller wrote:
Mike Jackson wrote:
Lately I have been having trouble logging into the AFMC webmail
server using my CAC card. Most of the time anymore I simply get
the "Unauthorized" page displayed.
Check with your CSAs and ask if they deployed LEAP. If they did,
have them force your account to run the LEAP script again. When
that happens, be sure to register your *ID* certificate rather than
your email signing certificate.
What's happening here is Safari is sending the server your ID cert,
which the server is rejecting. But since the server is (IMHO,
incorrectly) sending back an HTTP error (the "unauthorized" page)
rather than an SSL error, Safari is not seeing the rejection
correctly and selecting a different certificate.
Re-running LEAP is one workaround.[1] Another workaround is the
bits Paul Nelson posted that suppress the ID cert, so Safari auto-
selects the email signing cert. I lost the link but it's in the
fed-talk archives somewhere.
-- Tim
[1] What LEAP does is runs a login script that sends you to an
internal website where CAC authentication is required. This
website takes the cert you authenticate with and writes a number of
attributes to your AD user object. One of these attributes is
called altSecurityIdentities with the issuer and subject names from
the cert. IIS (like the OWA front-end server) will use this
attribute to aid mapping certs to user accounts for authorization.
See:
http://www.microsoft.com/technet/security/guidance/
identitymanagement/idmanage/P3Extran_5.mspx
Well I logged in as ">console" and proceeded to blow away /Library/
Caches/*, /System/Library/Caches/*, /Library/Preferences/com.apple.*,
and ~/Library/Preferences/com.apple.keychainaccess*.
I also blew away /var/db/TokenCache/tokens/* and then restarted the
machine.
Couple things happened. The multiple "login" keychains were now gone,
replaced with a single "login" keychain.
I was able to insert my CAC card, log onto https://
webmail.afmc.af.mil/Exchange/, enter my PIN and actually get OWA to
work. This lasted about an hour. I clicked on the "Check for New
Mail" icon on the OWA web page and got the dreaded "Unauthorized"
page again. I also have installed the CAC for Mac thingy from Thursby
to make the "correct" available to Safari.
So at some level I can get to OWA without having to do anything
from the NIPR Net as suggested above.
Also, the hardware I am running is a MacBook Pro Core Duo with an SCM
SCr331 flashed with Firmware 5.22.
So I am not sure what the deal with the limited time is. But short of
repeating everything that I did above, I can not get back into OWA. I
am also assuming that nothing is going on where the servers are and
those servers are functioning normally.
Thanks for the help
--
Mike Jackson Senior Research Engineer
Innovative Management & Technology Services
WPAFB, Dayton Ohio
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden