SCR CAC reader for Leopard

It appears to be something specific to my CAC. I have an "alternate" CAC card used for server administration. When I insert this CAC into my reader, the CAC shows up immediately in keychain access. Also, I see the following message in the console when inserting my "regular user" CAC.

8/18/08 8:20:31 AM com.apple.SecurityServer[19] openct/proto-t1.c:177:t1_transceive() T=1 state machine is DEAD. Reset the card first.

My regular CAC is a Oberthur ID One V5.2

I've been following this long post.

I have a Mac w/ Safari 3.1.2 and Leopard (10.5.4). I was able to get Safari to recognize my CAC by following steps to add the website as an Identity Preference to my 3 certificates in the Keychain Utility.

I can now log into Safari with my CAC and CAC pin.

However, I cannot change my password on AKO. When I go to the password screen and click on "Change Password" nothing happens.

Help?

However, I cannot change my password on AKO. When I go to the password
screen and click on "Change Password" nothing happens.

This sounds like an issue with the web site/browser, and not your CAC, as you are able to log in to Webmail. Are Pop-ups blocked in your Safari settings or perhaps cookies not allowed? AKO probably is trying to launch a window to facilitate the password changing. Perhaps AKO has done something with its password change (or it is currently broken)... you may want to call AKO Help Desk to verify password changing still works.

~ Jeff

It appears to be something specific to my CAC. I have an "alternate" CAC card used for server administration. When I insert this CAC into my reader, the CAC shows up immediately in keychain access. Also, I see the following message in the console when inserting my "regular user" CAC.

8/18/08 8:20:31 AM com.apple.SecurityServer19 openct/proto-t1.c:177:t1_transceive() T=1 state machine is DEAD. Reset the card first.

My regular CAC is a Oberthur ID One V5.2 and is a CA16, my Alternate CAC is a CA 14, any reason why the 16 wouldn't show?

Thanks, Jeff. Actually, it can't be a problem w/ the browser b/c the page opens correctly when I use Firefox. Unfortunately, I can't figure out how to get the CAC to work with Firefox.

Safari is set to accept all cookies and the pop-up blocker is off.

I would call the AKO help-desk but they won't help me b/c I have a Mac. They only troubleshoot PC's.

Andrew

Have you installed the DOD security certificates from DISA?

thats odd, since they have FAQs for integrating both Apple mail and Thunderbird with AKO mail.

AKO does state they will not help home users.

general CAC info
https://www.us.army.mil/suite/page/241504

Some specific FF info:
http://lists.apple.com/archives/Fed-talk/2007/Jul/msg00016.html

there are also several command lines you have to execute from terminal to get the CAC service running.

I think I have a paper on them somewhere.
You can search list.apple.com archives.

Thanks for the help.

I used Safari to access AKO w/ my CAC for the last year. No issues. Didn't have to install any certificates or anything. Just plugged in the reader, inserted the card, logged into AKO, gave it my CAC pin, and I was in.

Now, with Leopard, Safari no longer allows you to do that. I can log in w/ my CAC but the "change password" link is unresponsive.

I tried the DOD Extension for Firefox and it didn't work.

Any more ideas?

Andrew

from the apple fedtalk list ... and I think shawns iDisk also has other support and driveer info:

(4) Supported Smart Card Types


Many of you who are new to Smart Cards on Mac OS X will want to review this carefully.

Customers Impacted: Any Smart Card Users on Mac OS X 10.5

Platform(s) Affected: Mac OS X 10.5


Service(s) Affected: Smart Card use with:
Login
FileVault

Screen Saver Unlock
System Admin
VPN (L2TP / PPTP)

802.X

S/MIME (Apple Mail & MS Entourage)

SSL/TLS (Safari - Web & SSL VPN)


Built-in Support:
Smart Card Services built into Mac OS X 10.5 provide for a wide range support for various Smart Cards. Each Smart Card either contains a Java Applet or File-based OS on the card. Physical Smart Card Reader support is done through the PCSC and driver architecture while the Smart Card "Types" support is provided through Tokend bundles.

Pre-shipped Tokend modules: /System/Library/Security/tokend/


Tokend Module Name Smart Card Specification



BELPIC.tokend - Belgian National ID
CAC.tokend - US DoD Common Access Card
JPKI.tokend - Japanese PKI Card

PIV.tokend - US Federal Personal Identity Verification

( NOTE ALL but PIV were also supported on 10.4.x)




If the Smart Card you were issued does not meet any of the above noted specifications then you would need to acquire the corresponding Token module from the vendor/manufacturer of the Card/Applet. Many of the Smart Card vendors do in fact have tokend support, but do not note it on their websites yet. It is best to contact the vendor directly to enquire about the availability. If the vendor is interested in providing support, but does not yet do so, please have them Contact Shawn Geddis <geddis@apple.com> directly.



This was covered in my WWDC 2007 Presentation:


506-Integrating SmartCard Solutions into Leopard http://idisk.mac.com/geddis//Public/SmartCards/Presos/10.4.x/WWDC2007-506-Integr atingSmartCard_Solutions_intoLeopard.pdf

This was also covered in my WWDC 2006 Presentation:


527-SmartCards and other Two-Factor Authentication Solutions http://idisk.mac.com/geddis//Public/SmartCards/Presos/10.4.x/2006.08.11-SmartCar dsand_Other_Two-Factor_AuthenticationSolutions.pdf


Eventually, this all will be accessible directly from the top of my .Mac web page, so keep this bookmarked: http://web.mac.com/geddis/


- Shawn
___________________________________________________
Shawn Geddis  Security Consulting Engineer  Apple Enterprise

Shawn - You definitely seem to be the Smartcard master. I was able to manually set an Identity Preference so that I could log into my DOD site (AKO) w/ my CAC. It worked. Unfortunately, I can't change my password on AKO w/ my CAC. For some reason none of the links work on the site.

I don't think there are any issues w/ my reader or CAC since I was able to login. I think the issue is that the new Safari and/or Leopard can't handle the CAC on AKO.

Thanks - Andrew

Sir, you are a god among men. I'm TDY to Japan, and for some reason couldn't access the AF portal via my CAC card. A little hunting and Googling, and I came upon your fine post. It worked perfectly!

And now that everything is behind another layer of security, the "Identity" workaround that I have been using does not work now that they changed (my) link to https://webmail.west.nmci.navy.mil/

Funny thing is that I can run XP using Parallels on the same computer using IE and it works like a dream with ActiveClient.

-Scott-

Scott,

Here is the solution:

Using Keychain access, link ONLY the new NMCI email web site you need with the Email Signature CAC certificate: on my CAC it's called DOD EMAIL CA-11 ... (as per info posted on the legacy NMCI web email page, the Email Certificate is now used for logon). For what its worth, I also removed trailing "/" at the end of the URL when I pasted it in to Keychain Access. Please let me know if this works. Oh, and I suggest doing a Safari RESET (for cookies/cache) to be on the safe side prior inserting CAC into reader.. at least it seems to expunge daemons from my system when setting up a new Keychain identify.

By the way, you can do similar process ALSO for [Bupers Online], and any other site that uses CAC logon. There you would specify the Identity cert for it to work. I created a CAC cert link for both https://pki.bol.navy.mil AND https://pki.bol.navy.mil/pkilogin.aspx .. that seemed to get me past PKI cert logon issues.


~ Jeff

I am having the exact same issue. The card type is an Oberthur ID One V5.2. Has anybody had the issue with an unresponsive card in pcsctest? I am pretty sure that the card reader is recognized as it shows up in pcsctest (as well as in the USB inventory in System Profiler).

I remember there being issues with different types of cards. Would this have anything to do with it?

- Pete

I am getting a "Card is Unresponsive" error from pcsctest when I insert the card. I also get the following entry in secure.log

"token in reader SCR331 USB Smart Card Reader 00 00 cannot be used (error 229)"

I understand that the error 229 is very generic error, basically saying it can't read the card. It is an Oberthur ID v5.2. Does that matter?

Regards,

Pete

freeat12five (Pete),

Had the same issue with an Oberthur card. PSD replaced it with a non-Oberthur card...new one works fine.

If the card reader is flashing (small green light) with the card inserted, your system recognizes the reader itself, and the problem is likely with the card.

I recommend replacing the CAC card to see if that corrects the problem.

Tom