Shawn, Thanks for getting back to me, but it was after I had left the Lab on Friday. Prior to 10.5.2 I had never created identity preferences. Since 10.5.2, in OSX my CAC card has become useless. I've been using VMWare Fusion to do my day to day things.
So I have removed all Identity preferences in Keychains. Even if i reboot, don't open keychain access and just open safari, it does not prompt me for a pin. I have reset safari using the menu and cleared everything but my usernames and other auto fill information. Still a no go.
There are 4 other mac's at the lab that are at 10.5.4 or 10.5.5 and none of them have their CAC card working even after loading the 1.2 version of the patch. Are there any log files you want to see? On Sep 19, 2008, at 4:32 PM, Shawn A. Geddis wrote: On Sep 19, 2008, at 5:32 PM, Ben Dugas wrote: Shawn, I have downloaded your 1.2 update but it didn't work help would be greatly appreciated. OSX 10.5.5 Build 9F33 (No Prior CAC Patch) Keychain sees the CAC card and typing in the pin there unlocks the CAC card. I have tried both Identity preferences and certificate preferences for https://cmproweb1.spawar.navy.mil/https://infosec.navy.milhttps://ako.army.mil/ Safari doesn't prompt me for the pin. Different issue. In mail I have the star with the X in the middle black (available) but the paddle lock is grayed out. (unavailable) I just flashed my CAC reader using the firmware from the EDS posting. My CAC card is GEMALTO Access 64KV2. Should i delete my keychain? What troubleshooting steps should I take next? Thanks, Ben
Ben,
I will hit a few of the easy ones here first and then tackle the others...
Keychain sees the CAC card and typing in the pin there unlocks the CAC card.
We provide the ability to unlock the Smart Card via Keychain Access, but there is no need to. Anytime the OS services need to use your Private Key on the card or display the PIN protected data on the card, you would be prompted for the Smart Card's PIN (It will ask for the Keychain's Password -- and since the Smart Card is a Keychain, the PIN == Password referenced in the Dialog). As long as you do not remove the Smart Card, you will not be prompted again for the PIN. That decision is determined by the ACLs (Access Control Lists) on the objects stored in the card and the CAC does not provide an ACL to require PIN entry on every use --- hence the reason you were not prompted again when using Safari.
You create Identity Preferences to access PK-enabled Services -- only if the site is configured not to require Certificate-based authentication. Otherwise, if it is configured as requires, Safari would prompt you for which certificate to use from the card and automatically create the Identity Preference for you.
Adjust the URLs you are referencing in the ID Prefs to match the Real URL of the Server where Authentication is taking place and also note that you should "usually" use a trailing "/" at the end (but recent NMCI changes alter that for those folks).
This one appears to be correct, but of course I have no way of verifying without a valid CAC and access. Maybe someone else within SPAWAR using Mac OS X can verify what URL is correct for this one.
Also, be sure that if you are using the correct certificate to authenticate to the web services. Which one to use is determined by the configuration of the site.
Safari doesn't prompt me for the pin.
As noted above, if you have unlocked the Smart Card (keychain), you will not be prompted again unless you remove the Smart Card from the reader or your system screen saver kicks in or system goes to sleep.
- Shawn ________________________________________ Shawn Geddis T (703) 264-5103 Security Consulting Engineer C (703) 623-9329 Apple Enterprise Division email@hidden 11921 Freedom Drive, Suite 600, Reston VA 20190-5634
|