How do I access the AF Portal with SCR331 reader in Mac OS 10.5.6

Once I upgraded to 10.5.7, this particular issue went away, to be replaced with the "rejected certificate" problem mentioned above. I have an open ticket with the AF portal help desk now.

I have 10.5.7 and set the ID pref to: https://www.my.af.mil/EAI_JUNCTION/eai/auth

This forces safari to have you unlock the CAC keychain w/ your PIN but then the server still rejects the certificate. I'm going to guess that it's a problem with the AF Portal servers. What other websites should we be able to access? My base doesn't have OWA configured properly so that's out for me...way to go CS.

I get a list of six different certificates to choose from when I attempt to create an identity preference. The certificates all have the same name, so there is no way to tell which is which. Also, nothing appears under the "login" keychain after I create the identity preference. I'm confused.


NMCI webmail worked for me using the identity preferences under 10.5.6. Things broke because of either the 10.5.7 upgrade or being taken off the NMCI exceptions list for CLO logon. I don't know what did it.

Well I got good news and I'm-getting-closer-but-not-quite-there news.

Good news is that I got OWA email to work. I have taken a multitude of ideas from repeated google searches of such combinations as smartcard, cac, mac, etc.
1) Obviously have the correct firmware (I'm using SCR331 v5.25), nuff said
2) "Remove cached CAC credentials" through the "terminal" application (instructions here http://cisr.nps.edu/downloads/npscs_06009.pdf). I have done this multiple times and it did not work because I created the "tokens-old" directory once and I did not delete it (which is slow for someone with a very basic UNIX understanding. If anyone has a quicker way, do share). I guess you could create a "tokens-old2" and that would suffice. As long as you create a new directory called "tokens"
3) Identity preferences. For email I have 2 preferences, both of which end with a slash
https://owa.base.af.mil/
https://owa.base.af.mil/exchange/
For the ceritificate I use the non-email one (i.e. DOD CA-12). Obviously all your certificates need to have a green check mark and "This certificate is valid". Also I copied all my certs to the "login" keychain, but this may not have been needed.
4) Go to Keychain preferences, go to the third tab "Certificates". OCSP and CRL should be "off" and priority should be shaded dark.
5) I fixed my "certificates have been revoked" by getting my CAC reset at the MPF. Turns out my email was not loaded correctly (my middle initial is included in my email). This will not affect most folks, but every bit help.

Now the other news affects the Air Force Portal. I did all the above and was able to log into the portal ONCE. I have not been able to repeat. I have frequently repeated OWA.

Currently for the portal I get "The website "www.my.af.mil" did not accept the certificate Lastname.first.middle 123457895"
For identity preferences I use the same "DOD CA-12" non email one.
I have every possible identity loaded and have tried various combinations
https://www.my.af.mil/EAI_JUNCTION/eai/auth
https://www.my.af.mil/
https://www.my.af.mil/EAI_JUNCTION/eai/auth?refURL=https://www.my.af.mil/faf/FAF /fafHome.jsp
https://www.my.af.mil/EAI_JUNCTION/eai
https://www.my.af.mil/EAI_JUNCTION/eai/
If I delete the first 2, keychain/the portal automatically load them back in. I take that to mean they are needed.

I feel I am very close I just need another piece of the puzzle

I admit I have not made any progress at all. Safari never prompts me for a pin and authentication always fails. I cannot access a dang thing so far. I admit, M$ does CAC better than the MAC.

I cot SCR331 working after restarting system and reader was connected. But when I removed reader and reconnected it didn't work. Make sure pcscd demon is runnig

Write to terminal:
ps ax | grep pc

If /usr/sbin/pcscd no listed there and readers light isn't blinking try
sudo /usr/sbin/pcscd

For me it works in Firefox only. But I had to install something for that.

So here is a good one to top off the Portal issues....I can access Nellis OWA, but not the Portal! I have the keychain identity preferences setup for the Portal, and I am using the Email certificate. Any ideas?

Where can I download the correct firmware (v5.25)? CS will only flash 1 type of CAC reader and that's not the one that I have. I've searched the internet w/o success. Any help would be appreciated.

Exact same issue here with no success in resolving. I can access OWA for AFRC with no issues but with the Portal I am also getting the message that the CAC is not being accepted by the site. I have tried all of the suggestions with the identity preferences to no avail. The alternative is to use XP through Fusion but I obviously prefer to be able to do everything I can through Safari.

I am able to access BOTH the portal AND OWA by following the instructions when i googled "make cac certificates available to safari mac" I took the steps to set up identity preferences.

I used https://www.my.af.mil/ and my NON email cert
and my OWA address with my email signature cert

What website did you go to?

Well I finally got the AF Portal to work using some steps on http://militarycac.com/apple.htm. The final step that got it to work is really goofy, but it works somehow.

Bottomline
Setup the ID preferences (hopefully an obvious point by now) with DOD CA-XX
https://www.my.af.mil
https://www.my.af.mil/EAI_JUNCTION/eai/
https://www.my.af.mil/EAI_JUNCTION/eai/auth

Open Safari, insert CAC, go AF Portal
Click the Log in Button.
When it asks for your pin, click cancel.
You should get the 'The Website "www.my.af.mil" did not accept your certificate John.Doe XXXX-XXXX-yadda
Click the first certificate (DOD CA-XX)
It will ask for your pin, enter it.
Voila.

I was able to repeat the results twice in a row which is good enough for government work.

further details can be found at http://militarycac.com/MAC/CAConmyMac.pdf

Murphdawg,

Excellent find in your 12/27/09 post. That works for me, too. I really wonder why this happens, and if it can be fixed or automated away.

Have had much more consistent luck with Firefox but being able to use Safari is a big plus. FYI, Safari is much faster with ANG webmail than Firefox was.

Thanks for the tip,
David

The instructions that R Burgos posted on 2/11/09 worked for me. I have been able to access the AF Portal and AFPC Secure sites using an SCR3310 reader. I have not tried OWA.

Thanks for the help.

Art

Arturo! Fancy meeting you here. What version of firmware is your SCR3310?

JD