• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [Fed-Talk] CAC-enabled login OS X10.7 & 10.8
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] CAC-enabled login OS X10.7 & 10.8

  • Subject: Re: [Fed-Talk] CAC-enabled login OS X10.7 & 10.8
  • From: Jim Thomas <email@hidden>
  • Date: Fri, 15 Feb 2013 15:44:33 -0600
Michael, et al.

I was able to get it to work with our PKard for Mac v1.2: http://www.thursby.com/products/pkard.html

First, I have to state that this is not yet supported functionality of the product.  It does work for me, and it should work for you, but we can't provide technical support for it with the current version.

Second, my testing involved an in-house PIV-I, so I had to go through a few extra steps to make sure our signing DC was a trusted CA.  This might be necessary for some CACs or PIVs.

----------------------------------------
 - Log in to the Mac with a local administrator account (card NOT in the reader)
 - Launch Keychain Access form the Applications/Utilities folder
 - Insert the card into the card reader
 - In the Keychains panel of Keychain Access, select the card's keychain.  The certificates on the card will appear (there are usually three)
 - In the right pane, click the first certificate
 - If 'This certificate was signed by an unknown authority' displays in red, double-click it the certificate. The Certificate Information window will open
 - Scroll down to the Extension section labeled 'Certificate Authority Information Access' and click the link just below it (Ex. http://crl.xxxx.mil/getsign?DODĘ-99). The CA certificate will download to the Mac
 - Close the Certificate Information window
 - Quit Keychain Access.  This seems counter-intuitive given that we are about to reopen it by opening the cert, but it does need to be quit before continuing.
 
 - Locate the certificate in your downloads folder double click it.  The Add Certificates window will appear asking if you want to add the certificate to the keychain
 - Set the Keychain field to System and click OK.  Enter administrator credentials if prompted.  If prompted, choose to "Always Trust".  The new certificate should appear under System in the Keychain Access window
 - Do the same process for each of the remaining certificates
----------------------------------------

In the interest of full disclosure, this should work with any of the smart card solutions capable of reading CAC and PIV cards.

If you decide to try this with PKard, I'd be interested in knowing how things work out.

Regards,

Jim Thomas, CSCIP/G
Senior Support Specialist
Thursby Software Systems, Inc.




On 2/14/13 5:59 PM, Danberry, Michael J Mr ARMY GUEST USA wrote:
Thanks Bill,

The specific location for this information is at: http://militarycac.com/errors2.htm#OTHER_QUESTIONS. Question 2
--
CW3 Michael J. Danberry
Chief, Network Operations for the Military Intelligence Readiness Command, AKO CAC Resource Center Content Provider, and MilitaryCAC Web Helper

8831 John J. Kingman Road
Fort Belvoir, VA 22060-6208

703-806-5924 Office
703-679-8989 Virtual Office (rings my 3 mobile phones)
612-328-8768 Verizon mobile

email@hidden

Problems accessing DoD websites can "usually" be cured by following this guide: https://tiny.army.mil/r/0Owo

Sent from my Samsung Stratosphere Android device using the K-9 Mail app. Please excuse any typos.

William Cerniuk <email@hidden> wrote:
Buddy of mine :-) runs this page:

http://militarycac.com/apple.htm

Probably the best source there is for Apple related CAC/PIV

--
R/Wm. 

On Feb 14, 2013, at 17:30, Michael Kluskens <email@hidden> wrote:

What are the choices for CAC enabled login on OS X 10.7 & 10.8.

I'm looking at OS X systems which may not have access to a MS Domain Server, i.e. isolated netwo rk.  Some would have access and some would not have access all the time.

I thought maybe some changes to /etc/authorization might reenable CAC-login but I haven't started an attempt yet.

Unfortunately Apple dropped support and now it is a requirement in many places, all places that supply Windows-software for this but if you use OS X you have to find your own solution.

Michael


_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >[Fed-Talk] CAC-enabled login OS X10.7 & 10.8 (From: Michael Kluskens <email@hidden>)
 >Re: [Fed-Talk] CAC-enabled login OS X10.7 & 10.8 (From: William Cerniuk <email@hidden>)
 >Re: [Fed-Talk] CAC-enabled login OS X10.7 & 10.8 (From: "Danberry, Michael J Mr ARMY GUEST USA" <email@hidden>)

  • Prev by Date: [Fed-Talk] McAfee certificate
  • Next by Date: Re: [Fed-Talk] Apple Security Vulnerability
  • Previous by thread: Re: [Fed-Talk] CAC-enabled login OS X10.7 & 10.8
  • Next by thread: Re: [Fed-Talk] CAC-enabled login OS X10.7 & 10.8
  • Index(es):
    • Date
    • Thread