Fed-Talk *DoD* Mac Users,
This is a bit overdue, so please accept my personal apology for the delay in providing a status update to the regression experienced by Mac OS X users who updated to Mac OS X 10.5.3 and who depend on a Common Access Card and Safari to securely authenticate to DoD web sites. I hope this message will be well received and provide everyone with the critical information they need to understand this issue and the available options.
Problem Status: *Active*
Customers Impacted: DoD / Smart Card users who upgraded to Mac OS X 10.5.3 Required to authentication to various DoD Web portals using CAC
Platform Affected: Mac OS X 10.5.3 - released 05/28/08
Services Affected: Safari 3.1.1 -- Web Access using Smart Cards to PKI protected US Federal Government websites (** All other services are NOT affected **)
ETA for a Fix: Unknown - working with DoD tester to assist and confirm a fix
Work-a-round: Archive Install -- revert to Mac OS X 10.5.2 while preserving Data/Apps If you are on Mac OS X 10.5.2, hold-off in upgrading until a fix is in place
Delivery Vehicle: Plan to provide DoD customers with an installer to fix the regression until full resolution is available in a subsequent update.
Previous User Experience: Previous to upgrading to Mac OS X 10.5.3, users were able to successfully access PKI protected Government websites using their US Federal Government Smart Cards (i.e. DoD -> CAC). In some cases, the users would need to manually configure an association between which Certificate to use for the specific URL they were accessing. User Regression: Several Users are now no longer able to authenticate to those PKI/SmartCard protected websites. There is no simple work-a-round on 10.5.3 for this particular problem, so there was no quick change or modification to correct this. Authentication will fail within Safari and Keychain Access will crash if user attempts to view while Smart Card is inserted.
DoD Testing: We have been working with several DoD IT staff to assist in debugging and isolating the underlying regressions against DoD web portals. The testing has proven challenging and taken longer to isolate due to significant variations in client and server configurations. We have obtained more than enough testers to help isolate this problem.
You all will be the first to know when we have a patch available. We aim to help you get back to your productivity on the Mac as quickly as possible.
---
A bit more detail for those interested: Several servers are configured to accept (but not require) a client certificate which gives you different content depending on whether you have presented a certificate. In 10.5.3, Safari will prompt you to select the correct certificate -- but only if the certificate is *required* by the server (i.e. it returns an error.) We no longer automatically send the first certificate found to the site. In these cases, the users will need to manually configure an association between which Certificate (ID, Email Signing, Email Encryption) to use for the specific URL they are accessing due to the Server's configuration. We look to address the challenge of when servers are configured as *Optional* in a future release.
Related Change in 10.5.3 Safari:
• Fundamental changes within Mac OS X on how Client-side Certificates are handled Safari, Mac OS X 10.5.3: Changes in client certificate authentication
"CAC Authentication to AD" ====================== * Mac OS X 10.4 / 10.5 has built in support to *Authenticate* to Various Directory Services like AD, OD, LDAP, etc.
* What many are actually looking for is: "Single-Sign On (SSO) to AD with a Smart Card" - SSO requires PKINIT -- X.509-based authentication AND Initialization of Kerberos Session (TGT)
- PKINT for "User Login" is lacking in Mac OS X 10.4 / 10.5
"SSO to AD with Smart Cards" There are two products that you should be looking at. Both provide the needed PKINT as well as several others servers several are looking for:
Thursby's ADmitMac for CAC (AFC)
Centrify DirectControl for Mac OS X
Compatibility issue with newer Block Transfer (T=1) & Hybrid (CAC/PIV) Smart Cards ==================================================================== There is currently (10.5.0-10.5.3) a very specific issue between some of the newer Smart Cards (T=1 Block Transfer & Hybrid (CAC/PIV)) with very specific Smart Card Readers (SCM SCR 331, 531, 3310, 3311; GemPlus PCTwin). This issue arises out of a failure to properly negotiate between the PCSC Framework, the CCID Class Driver, certain Smart Card Readers and these newer cards. If an older Smart Card (T=0) or Card<-> Reader combination is used, the user will not experience these problems.
Communication protocolsName | Description |
---|
T=0 | Byte-level transmission protocol, defined in ISO/IEC 7816-3 | T=1 | Block-level transmission protocol, defined in ISO/IEC 7816-3 |
Work-a-round: if possible, buy or temporarily utilize a different Smart Card Reader
- Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise
|