Re: [Fed-Talk] Another CAC on NERP Question
Re: [Fed-Talk] Another CAC on NERP Question
- Subject: Re: [Fed-Talk] Another CAC on NERP Question
- From: carlos <email@hidden>
- Date: Wed, 02 Apr 2008 20:37:43 -0400
- Thread-topic: [Fed-Talk] Another CAC on NERP Question
I can't run LEAP since a while back my Mac stopped working on the NMCI
network (it was authorized and just stopped when they upgraded to the 2003
suite of products, they never determined why).
Before I install Leopard on my Mac let me ask. Before I created the new
user, I saw three certs to choose from, on the new user, only two. That
makes me think it is selecting one. I am also able to pick the other two
when prompted but they do not work. Is it not safe to assume that since
selecting any of the certs manually don't work, am identity preference will
not work either since it is just selecting one of those certs automatically?
I'm not trying to be argumentative, I just want to make sure I have to go
the Leopard route since I know some of the other things I need will break
(like classic).
Thanks in advance.
> From: Timothy J Miller <email@hidden>
> Date: Wed, 2 Apr 2008 15:39:59 -0500
> To: carlos <email@hidden>
> Cc: <email@hidden>
> Subject: Re: [Fed-Talk] Another CAC on NERP Question
>
> On Apr 2, 2008, at 2:59 PM, carlos wrote:
>> I was told that CAC login on NERP should work. I've had no success
>> so far so
>> I created a new user and tried again with the same result:
>>
>> The website "xx.xx.navy.mil" did not accept the certificate
>> "VELAZQUEZ.CARLOS.A.1234567890"
>>
>> This website requires a certificate to validate your identity.
>> Select the
>> certificate to use when you connect to this website, then click
>> Continue.
>>
>> It then lists two certificates.
>
> This sounds like a cert selection issue.
>
> Safari, by default, will select the first cert on the CAC for
> authentication. On 99.9% of CACs, this is the ID cert. Some web
> applications are expecting to see your email address or AD UPN in the
> cert. These are only in your email signing cert.
>
> There are a couple of things you can try:
>
> - Run LEAP if it's installed in your domain. LEAP takes your ID cert
> and populates a number of AD attributes based on it. One of these can
> be used by Microsoft's IIS webserver to determine which account is
> tied to your ID cert. If NERP is based on an AD backend--and that
> backend is in the same domain as your account--this may fix the
> issue. You'll need to run LEAP every time you get a new CAC.
>
> - You can set an identity preference. An ID pref tells Safari to use
> a particular cert for a particular site. On Leopard, open Keychain
> Access, insert your CAC, select the CAC and select your email signing
> certificate. (You can tell which is which only by opening the cert
> and looking at the details. The email signing cert has your email
> address *and* your NT Principal Name under the Subject Alternative
> Name extension.) Right click on the email signing cert and select
> "New Identity Preference..." Set a name and a URL for the site.
> You'll need to update this preference when you get a new CAC.
>
> (Note on Tiger, you need a tool to set an ID pref. Shawn Geddis has
> posted one to this list before, but my copy is on my backup disk at
> home at the moment.)
>
> - You can install a package from Thursby Software that puts in their
> CAC tokend and a PrefPane that allows you to suppress the ID
> certificate. This will cause Safari to pick the email signing cert.
> While simple, you need the PrefPane and tokend, and you won't be able
> to use the ID cert anywhere, even if you want to, without turning the
> suppression off.
>
> - You can use CAC-enabled Firefox and set the cert selection behavior
> to "Ast me every time." This gets a little annoying, but will
> generally work. However, current versions of Firefox are ...
> unstable ... with Apple's PKCS#11 module. Red Hat's Coolkey is
> better, but still squirrelly.
>
>> I then added all my DoD certs to the keychain. Still no joy.
>
> You don't need to do this.
>
>> Overall, not a single site that uses the CAC to login, not just
>> authentication, have not worked (MacOS 10.4.11, ADmitMac for CAC). No
>> problem with OWC for NMCI.
>>
>> Anyone has this working?
>
> I don't have access to NERP, but I have OWA working fine. Since the
> OWA servers reside in my domain, I did the LEAP option so my ID cert
> will work. I've also set ID preferences for a couple of other sites.
>
> -- Tim
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden