Re: [Fed-Talk] How to setup CAC authentication in Safari
Re: [Fed-Talk] How to setup CAC authentication in Safari
- Subject: Re: [Fed-Talk] How to setup CAC authentication in Safari
- From: Bill Frame <email@hidden>
- Date: Thu, 10 Jul 2008 21:12:08 -0700
- Thread-topic: [Fed-Talk] How to setup CAC authentication in Safari
Title: Re: [Fed-Talk] How to setup CAC authentication in Safari
The CAC shows at the top left corner of the Keychain.
I installed Shawn Geddis’ patch.
I set up the ID preference for the correct cert to the https://akocac.us.army.mil/.
No change. Still doesn’t do anything the web site recognizes as a CAC.
Bill Frame (CTR)
Joint Program Executive Office for
Chemical and Biological Defense
Software Support Activity, San Diego, CA
Senior Systems Engineer
Desk: 619.553.0799 Cell: 619.992.8983
email@hidden
From: Paul Nelson <email@hidden>
Date: Wed, 09 Jul 2008 15:15:34 -0500
To: Bill Frame <email@hidden>, Apple Fed Talk <email@hidden>
Conversation: [Fed-Talk] How to setup CAC authentication in Safari
Subject: Re: [Fed-Talk] How to setup CAC authentication in Safari
Bill,
I think you would be helped out a lot if you had the Army golden master for your Mac. It should take care of making sure your CAC works properly. You would still have the various problems connecting to web sites however.
Here are some simple steps to see if the CAC is working with the card reader.
- Remove the CAC from the reader
- Launch the Keychain Access utility (in Applications / Utilities)
- In the extreme lower left corner of the window, you will see a button with a triangle in it. Click this button so the triangle points UP. This will change your window so it displays a list of keychains
- With the list of keychains showing on the left side of the window, insert your CAC and wait a few seconds. You should see a new item appear at the top of the list. The new item will have a name starting with the letters CAC.
If NO item appears in the window, follow these troubleshooting steps:
- Unplug the smartcard reader, remove the CAC from the reader
- Reboot the Mac
- Launch the Console utility (in Applications / Utilities).
- Make sure the Console window says “All Messages” at the top. If it does NOT say “All Messages”, then choose “Open Quickly” then “LOG DATABASE QUERIES” then “All Messages” from the File menu.
- Watch the Console window (it should say “All Messages” at the top) and connect your card reader. You should see messages identifying the card reader. If you don’t, your card reader may not be working, or may need to be flashed with newer firmware. Check the manufacturers site for information about firmware.
- If the card reader messages appear in the console window, insert your CAC into the reader. You should see messages indicating that a card was inserted. You may see some error messages too.
- Launch the Activity Monitor utility (in Applications / Utilities). Choose “Activity Monitor” from the Window menu.
- In the Activity Monitor window, click on the Process ID column until you see a triangle pointing down. You want to see process ids sorted with the largest number first.
- You should see a process named CAC in the list. If not, your card reader and CAC combination is not supported by the OS. You may have to try a different kind of card reader. If you have Thursby’s AFC product installed, you will see a process named AMSmartCard appear instead of “CAC”.
- If you do not see the CAC process, look at the Console window (All Messages). If you see an error message with “Protocol type of card (T=1) not supported by this driver for this type of reader (TPDU)” you are experiencing a known problem with Leopard. Shawn Geddis posted a link to an installer that may fix this particular issue.
From: Bill Frame <email@hidden>
Date: Wed, 9 Jul 2008 10:59:10 -0700
To: Apple Fed Talk <email@hidden>
Subject: Re: [Fed-Talk] How to setup CAC authentication in Safari
Unfortunately, there seems to be a problem with participants of this list operating at the extremes of competence on the OS X system administration. I’ve owned a Mac for nearly 3 months, so I’m obviously at the bottom end.
Since I didn’t try to use the CAC until June, I started with 10.5.3, so 10.5.3’s changes didn’t apply to my situation. 10.5.4 did solve some issues that it wasn’t supposed to, but the CAC recognition problem is still there.
Some people are talking about how the CAC is recognized by the machine, but not by the target web site. How do they know? Someone mentioned the CAC certs showing in the Keychain, but mine show there when the CAC is not attached. When I go to AKO or the Navy PKI site, they obviously do not see the CAC.
Another thing was setting the system log to record website URLs:
http://lists.apple.com/archives/Fed-talk/2008/Jul/msg00024.html
The “troubleshooting” section probably has some incredibly useful information, but it leaves out most of the steps involved. The commands to do this don’t help a lot if you’re not familiar with how to do command line in OS X. I haven’t done Unix command line since the early 90s, so I’m not up on what is safe and what isn’t, or whether there are intermediate steps after bringing up the Terminal.
http://www.apple.com/itpro/federal/ has a lot of marketing stuff, but I’m not finding anything that says “this is what you need to do, and look here if it doesn’t work”.
I would love to walk away from Windows. The reason I have the Mac is because I spent 3 days fixing a .net framework issue on XP. I can setup an XP box to access the sites requiring a CAC in less than 15 minutes. After one walk-through by the Navy support guy, I’ve set up 5 machines on my own. I’ve been trying to get the Mac running since early June, so far unsuccessfully. So far, every person I talked to at work that uses a Mac, either it worked when they plugged in the reader, or it never has worked and nobody can figure out why.
I know how frustrating it can be doing detailed instructions for newbies, but that’s where some of us are. Anybody up to the challenge?
Bill Frame (CTR)
Joint Program Executive Office for
Chemical and Biological Defense
Software Support Activity, San Diego, CA
Senior Systems Engineer
Desk: 619.553.0799 Fax: 619.553.6902
Cell: 619.992.8983
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden