On Sep 22, 2008, at 7:37 AM, Michael Chute wrote: Shawn: I am having the same issue as Ben actually. It doesn’t matter if I haven’t unlocked my CAC when I go to infosec it doesn’t prompt me to unlock it and it obviously fails in authentication. It also fails if I have already unlocked it. I can see it fine in Keychain access so it would appear to be an interaction between Safari and the OS. For full disclosure though I have been able to get to infosec using a colleagues CAC on my rig. My card is a GEMPLUS GKP3 64V2N. M. -- Michael D. Chute
Michael,
Until you said that last statement: For full disclosure though I have been able to get to infosec using a colleagues CAC on my rig.
I would have thought you were having an issue with a needed ID Pref or the selection of the wrong certificate. If a site is configured to allow both User/Pass & CAC, then you currently need to manually create the correct ID Pref. When you access a site that requires CAC, you will be prompted when you first connect to it as to which cert to use. This is the logic that was added for Safari Client-side Certificate support starting with 10.5.3.
Since you mentioned that your colleagues CAC works fine on your same system, to the same site, it would mean there is an unrelated issue coming into to play. If you haven't already, you should enable the Identity Preference logging, attempt access with both cards and send me the /var/log/system.log records for review. If you do not recall how to enable the logging, here it is from my former post titled: "[Discussion] (2) Card recognized, but I cannot access PKI protected Websites" Troubleshooting: To provide you and Apple with the ability to troubleshoot why you may still be failing to authenticate to a given server, Apple enabled a debug flag which, when enabled, will log identity preference information to the System log (/\var/log/system.log).
Enable Identity Preference Debug Mode in 10.5.4 and beyond:
defaults write com.apple.security LogIdentityPreferenceLookup -boolean true
When enabled, each identity preference lookup is written as in the following example:
Jul 1 18:12:51 /Applications/Safari.app/Contents/MacOS/Safari[386]: preferred identity: "User" found for "https://Full.Server.Name/"
And of course, to disable it afterwards, you would enter:
defaults write com.apple.security LogIdentityPreferenceLookup -boolean false
- Shawn _____________________________________________________ Shawn Geddis Security Consulting Engineer Apple Enterprise
|