• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [Fed-Talk] How to enable smartcard logon & screensaver unlock?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] How to enable smartcard logon & screensaver unlock?

  • Subject: Re: [Fed-Talk] How to enable smartcard logon & screensaver unlock?
  • From: William Cerniuk <email@hidden>
  • Date: Thu, 21 Jul 2016 18:37:37 -0400
Attempt to use with CAG causes PWOD. Get to select the authentication cert and safari locks up for 5 min. It recovers but never gets logged in. 

Login to a FV encrypted Mac worked in 10.12b2 but now fails in 10.12b3

Signing email works fine. A bit annoying having to type my PIN every time. 

--
R/Wm. 


On Jul 21, 2016, at 16:52, Blumenthal, Uri - 0553 - MITLL <email@hidden> wrote:

I’d be interested in any additional feedback that there may be for Smart Card on 10.12 so that we can share with the appropriate groups.

Doug,

The initial impression – i.e., the ability to bind the smart card to the login “auto-magically” is very welcome. Similarly – the fact that it does not need a tokend any more. 

On the bad side – ckt daemon keeps crashing on me with CAC and Yubikey NEO (both are accepted by 10.11.[56] with OpenSC, PKard, Centrify Express, and my modified OpenSC.tokend).

I wondered who I’d send the crash dumps and detailed reports to… Or maybe – even who among the Apple developers would be wiling to “partner” to get this stuff polished and 100% ready to go.

Also, I wonder what do I need to do in order to (a) get smart card logon enabled (locally), and (b) get smart card logon enabled via Active Directory authentication (Mac is a member of the domain). 

Thanks!

On Jul 11, 2016, at 8:48 AM, William Cerniuk <email@hidden> wrote:

Since the keychain is ubiquitous to the security system, and since the smart card integration has always been tied to the Keychain to make it available to all apps on the Mac that use the Keychain, I would be surprised if smart card authentication were isolated now.

Right now it is beta. I have only seen the CAC and PIV cards show up once in the Keychain Access app but suspect that is a bug in macOS beta.  As a keychain in the security system, the PIV/CAC would be equally accessible to all processes.

Now I am curious enough to test b/c Safari definitely tanks in the beta when accessing the VA Citrix Access Gateway.

When I hit the public CAG page https://vacagnorth.vpn.va.gov/ and have my PIV card inserted, then press the smart card (PIV) login button, Safari locks up with BBOD/PWOD.  Will be interested to see if same with FireFox / Thunderbird.  I don't run Chrome for a variety of reasons so won't be testing that.

--
R/Wm.

Ph: 703.594.7616
AppleID: email@hidden

  
 
On Jul 10, 2016, at 15:46, Blumenthal, Uri - 0553 - MITLL <email@hidden> wrote:

Regarding 10.11: using the current OpenSC version as middware, and mouse07410/OpenSC.tokend as tokend replacement of the original tokend - I haven't had the need to re-launch Apple Mail (or Safari) to recognize the inserted smart card. 

Also, the current development of OpenSC (combination of #797, #816, and one more commit df62b35 necessary for reliable token status detection) significantly improves already acceptable stability against multiple apps accessing the token.

For those on 10.11- I recommend to at least try the above route. 

Based on what I hear here, 10.12 could make this‎ "detour" unnecessary. (BTW, could those who tried public 10.12 comment whether Firefox and Thunderbird work there, rather than *only* the native apps like Safari?)

Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
  Original Message  
From: William Cerniuk
Sent: Saturday, July 9, 2016 07:28
To: Matthew Smith
Cc: Apple Fed-Talk
Subject: Re: [Fed-Talk] How to enable smartcard logon & screensaver unlock?


I was successfully using smart card services under 10.11. Now under 10.12, the smart card implementation is much more professional but kills Safari when accessing the Citrix Access Gateway at the VA. Safari gridlocks, have to kill the process.

The pairing of the smart card works fine for logging in. Have not tried it from reboot to open the FileVault encrypted disk yet.

The smart card interaction with native mail is much smoother than prior smart card services shim operation. Now I don't have to quit and relaunch mail to try and get it to recognize the smart card.

Over all, this is the way native smart card operations should have been implemented 10 years ago when it was part of the system, up to Snow Leopard. Just have to fix Safari interaction defect.

Now if they could speed up the glacial slow iOS 10 ;-). Those special effect transitions remind me of "your first PowerPoint" (snicker)

--
R/Wm.


On Jul 8, 2016, at 22:29, Matthew Smith <email@hidden> wrote:

On a related note, I just installed the macOS Sierra beta (the public one, not the developer one, so no NDA, right?) for testing on a home Mac. Upon inserting a Smartcard, the OS brings up a dialog “Smartcard Pairing” asking if I want to connect the inserted Smartcard with the current user.

Matthew
 
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Re: [Fed-Talk] How to enable smartcard logon & screensaver unlock? (From: William Cerniuk <email@hidden>)

  • Prev by Date: Re: [Fed-Talk] Can't sign PDFs after updating to 10.11.6
  • Next by Date: Re: [Fed-Talk] Can't sign PDFs after updating to 10.11.6
  • Previous by thread: Re: [Fed-Talk] How to enable smartcard logon & screensaver unlock?
  • Next by thread: [Fed-Talk] Can't sign PDFs after updating to 10.11.6
  • Index(es):
    • Date
    • Thread