I am experiencing the same issues here. My SCM 3310 worked perfectly on 10.5.5 but the recent update to 10.5.6 now makes me SCM 3310 CAC Reader totally unrecognizable (brief green light when I plug-in but then dead - does not even show up in keychain anymore).
Working from the Apple post at http://lists.apple.com/archives/Fed-talk/2008/Dec/msg00093.html provided NO SOLUTION. My reader's firmware is the newest version from SCM and per msg00093 (and the attached link to Open Source author's CCID supported CAC Readers - http://pcsclite.alioth.debian.org/ccid.html) specifically states that SCM 3310 is suported.
Apple support is requested on this item as it has impacted nearly a dozen DoD Mac users at my station (which makes it hard to sing the praises of Mac when every update seems to cripple usability). I hate to revert to 10.5.5 and ignore all future OS X updated but MUST be able to use my CAC at home. If anyone has solved this issue please post the steps to fix the matter; any help is appreciated.
I have the identical problem as the original post. Keychain recognizes my reader (SCR331) and card, but the same error message from the Portal. I can log in with my CAC fine at work, but I need access at home as well. AF Portal help desk is nice, but clueless about Macs. Does anyone have any advice?
Unlike the second post, I have noticed no difference in Keychain reading my CAC since upgrade to 10.5.6
Try flashing the newest version of the SCM firmware to your SCR 331, unfortunately, you'll need to do this on a windows machine but once you update to firmware version 5.25.
You can get the firmware from SCM's website (http://www.scmmicro.com/support/pcs_downloads.php?lang=en) and will need to download both the installer and firmware. You can google for steps on flashing the reader but essentially you run the installer and once it is complete, hook-up the reader and open the firmware zip files to install, that will push the latest version to your SCM 331 and should make it play nice with 10.5.6
Note that these are user to user forums, so Apple won't be paying attention here. Since you've identified that the issue is solved with flashing the reader's firmware, the problem is with SCM Microsystems's inability to provide firmware flashing software that will work with the Mac. Something that your organization and DoD ought to be pressing with them. It's not an Apple issue.
This is a known issue with these readers. Apple is aware and will ask you if you have done the firmware upgrade. that's all they can say since it is indeed a 3rd party issue... but there is also a "smart card services installer" that Apple has to help with a certain issue. You will need to email "firstname.lastname@example.org" and then you should receive the installer. Now if you want to access DoD sites, once that installer is installed you can then setup a "IDPref" with your CAC in keychain. Here is the directions on how to do this.... "http://www.applemacgeniusville.com/2008/10/setting-up-safari-for-cac-login-to- dod-websites/"
I hope this helps...
<Edited by Host>
I encountered the same problems you describe with the Air Force portal. Followed all recommendations to no avail. After lots of trial and error this is what I did in my setup and worked:
1. close all open programs. Open keychain access, connect the reader, insert CAC, select CAC keychain by clicking on it once, you will see a list with 3 certificates and 3 private keys to the right.
2. double click on the certificates and find the one that shows "Usage Digital Signature, Non-Repudiation" and Purpose #1 Smartcard Logon, Purpose #2 Email Protection, Purpose #3 Client Authentication". This is the right certificate for online CAC authentication.
3. control-click the CAC certificate identified as the right one in step 2 and create an identity preference for each server addresses that the AF Portal has:
I had to create an identity preference for each; for some reason if I don't use all three, login fails.
If you also want to access the virtual MPF, also create an identity preference with the following server: https://w20.afpc.randolph.af.mil/afpcsecurenet20/
Note that these server addresses are case-sensitive and you need to put the "/" just as I did above.
4. verify the identity preferences were created by selecting the login keychain, you should see them in there.
5. open safari and enter: https://www.my.af.mil in the safari address bar. Enter PIN number if requested. I have noticed that sometimes it will work flawlessly and sometimes the server will reject the certificate and ask you to select a different one. If I select the one that says DOD EMAIL CA-15 and hit enter (sometimes repeatedly) it will then work. Don't know why this happens but have read is a USAF server-side issue.
Once you are able to access the portal, logout and try the vMPF by entering https://w20.afpc.randolph.af.mil/afpcsecurenet20/ in the Safari address bar
hit OK if presented with a consent screen. You may be given a username/password screen, reenter https://w20.afpc.randolph.af.mil/afpcsecurenet20/ into the address and try again, you should be in AFPC secure.
I tested this in a 2008 white macbook with an OmniKey 3121 USB reader and an Oberthur ID One v5.2 CAC card. My OS is 10.5.6.
Please let me know if this helps.
I'm not keychain savvy but here's what worked for me.
I tried the above from Burgos and it worked once. I then began to mess around with the identity preference and found that if I added a '?' to the https://www.my.af.mil/EAI_JUNCTION/eai/auth.
It then reads https://www.my.af.mil/EAI_JUNCTION/eai/auth? it logs into the portal fine every time. But then keychain automatically adds an Identity Preference (https://www.my.af.mil/EAI_JUNCTION/eai/auth) back into the keychain. If (https://www.my.af.mil/EAI_JUNCTION/eai/auth) is present with (https://www.my.af.mil/EAI_JUNCTION/eai/auth?) identity preference then it won't log into the portal and the pin prompt keeps coming up.
All I have to delete the identity preference without the '?' before logging into the portal and it works everytime.
Does anyone know how to stop the identity preferene from automatically adding itself into the keychain? That would solve all problems over here.
Thanks for the follow-up. Seems like right now, there is something broken that won't let me into the AF Portal. I can log in to our Outlook Web Access but not to the AF Portal from Leopard. I tried your suggestion but it does not work for me either. I am posting a message to the Fed-Talk mailing list to see if someone has found a way to make it work.
I wanted to add some comments to this thread regarding my recent experience and observations.
Rafael's post got me thinking about the URLs being entered for the Identity Preference. I'm not sure why, but the exact format appears to be quite significant (as Fro's experience with the '?' illustrates). I brought a reader home today (SCR331), flashed the chip and installed the DoD certs. I was able to connect to our OWA server, but wasn't able to connect to any portals (AKO, AF Portal, our local portal).
I used Rafael's URLs to connect to the AF Portal, worked like a charm. Turns out for our local portal, the problem was the Identity Preference URL... I was using https://portal/ and was getting a mix of 500 errors and Safari could not connect messages. But if I set it to https://portal (no slash), it connected just fine.
The Fed-Talk subscribers have been very kind in recommending some workarounds (essentially CoolKey and OpenSC) but nothing that is GUI - oriented or easy in the "mac" sense. I continue to experience a lot of difficulty getting in to the AF Portal. I keep playing with CAC readers of different kinds but the problem in Leopard is the same. To Apple's benefit, I think the main problem with Leopard and the AF Portal is with the AF Portal itself not adhering to standards strictly - but then again, every once in a blue moon, Safari will connect to the AF Portal without problems. The erratic behavior is driving me nuts. If you have been able to access the AF Portal, do let me know! For websites that do play nice with Leopard, it is a must to have the correct address in the identity preference, as https://www.mycacsite.mil ≠ https://www.mycacsite.mil/. Shawn Geddis, Apple security consultant has more on this (see http://lists.apple.com/archives/Fed-talk/2008/Dec/msg00086.html).
I have tried this method along with every other variation of the identity preference website. Each time I am prompted to enter my pin for my CAC keychain. However I am never able to access the website. I always get the error:
Safari can’t open the page “https://www.my.af.mil/EAI_JUNCTION/eai/auth?refURL=https://www.my.af.mil/faf/FAF /fafHome.jsp”. The error was: “client certificate rejected” (NSURLErrorDomain:-1205) Please choose Report Bugs to Apple from the Safari menu, note the error number, and describe what you did before you saw this message.
Also I have not made any headway on my OWA access. It does not prompt me at all
My first guess is that my CAC is not working right. 2 of the 3 certificates are "revoked" and I am unable to fix them without getting in line at the MPF.
If your certificates have been revoked, you will not be able to access any CAC-enabled website. Therefore, you have no option but to go to the MPF and get the card updated. As an added bonus, you will (very likely) get a newer card and things may work better when using a mac (you could actually make a newer PIV card work with firefox and OpenSC). I have read that DoD is phasing out the Oberthur cards because they don't fully support DoD requirements (more on this at http://militarycac.com/apple.htm). I have had no problems with certain websites, OWA has not been a problem in Leopard and if you had valid certs and Office 2008 for mac, you could set up Entourage 2008 to not only access OWA but also to digitally sign and encrypt your military mail. I will be happy to show you how to.