Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.


Question: Accessing Secure DoD Sites with Safari and a CAC

This has been an ongoing issue but a quick search of the forum reveals no topics in 2009, so I'm bringing it up again. If nothing else I have a dim hope that Apple might read these posts and take this as a suggestion.

There seems to be no way to use any Apple-based browser (Safari, Firefox, etc.) to access secure Department of Defense web sites with a Common Access Card and reader. I have a reader that is compatible with the OS, and my certificates appear in keychain. But the browsers, most notably Safari, don't seem to care that the reader and card are there. Sites simply act as though I don't have either reader or card connected.

This is a pretty basic thing, and there MUST be a way to accomplish it. I could do it three or four versions of MacOS ago, but the support seems to have vanished.

Does anyone know a way to make this work? Apple, if you're listening, please add CAC support for your browser!

MacBook Pro 15", Mac OS X (10.5.7)

Posted on Jun 12, 2009 11:00 AM


Jul 26, 2009 8:02 AM in response to mjruss In response to mjruss

Is it common knowledge that one cannot use a CAC card reader with OS X 10.5.7? I have a document entitled "CAC for a Mac: Using an Intel-Based Apple OS X System to Access NMCI Outlook Web Access" that shows how to set up OS X 10.5.4 or 10.5.5 to use a CAC. I cannot get these instructions to work under 10.5.7, though I appear to be agonizingly close.

Should I give up and wait for an Apple fix or has anyone found 10.5.7 instructions that work? Mac help has an "about common access card viewer" entry but it points to a "CAC setup" document that has apparently been removed from the knowledge base.

Any help anyone can offer will be most welcome ...

Jul 26, 2009 8:02 AM

Reply Helpful (1)

Aug 29, 2009 9:10 AM in response to mjruss In response to mjruss

I've got everything (with the exception of the pig known as DTS) using an SCR3310 reader and a recently issued Oberthur card. I got some additional info from militarycac.com that helped put the final touches in place. I could see the certificates on the CAC but sites like the AF and JFCOM portals wouldn't let me get on! BTW, it worked under 10.5.6 and everything worked Golden under 10.6 (Snow Leopard).

These steps gave me what I needed:
From militarycac.com:

Step 9: Insert Your CAC Card into the Card Reader. If in the upper left of the Keychain Access window, under "Keychains" your CAC should show up (CAC XXXX-XXXX-XXXX-XXXX-XXXX), select it. In the right hand side you will see the certificates that are on your CAC.
Step 10: Click the "Padlock" icon in the upper left corner of the program window, which will prompt you for your CAC PIN. Enter your PIN to unlock your CAC.
Step 11: Select the desired certificate, which will show DOD CA-XX or DOD EMAIL CA-XX in the upper window. Right Click (Control Click) and select "New Identity Preference"
Step 12: Enter the following URL for for the appropriate website you wish to access, select the appropriate certificate and click “Add”:
- AKO: https://akocac.us.army.mil/ (DOD CA-XX)
- AKO Webmail: https://wmcac.us.army.mil/ (DOD CA-XX)
- Fort Gordon OWA (Email Access): https://rw3.army.mil/EXCHANGE (EMAIL CA-XX)
- Soldier Survey Site: https://fcportal.forscom.army.mil/ (EMAIL CA-XX)
- Tricare Online: https://www.tricareonline.com/preloginHome.do (DOD CA-XX)
- Tricare (1 of 3): https://cac1.tricareonline.com/ (EMAIL CA-XX)
- Tricare (2 of 3): https://cac2.tricareonline.com/ (EMAIL CA-XX)
- Tricare (2 of 3): https://cac3.tricareonline.com/ (EMAIL CA-XX)
- Webmail: https://webmail.nmci.navy.mil (DOD CA-XX)
- Reserve Portal: https://private.navyreserve.navy.mil/ (DOD CA-XX)
- NADSUSEA (Navy East OWA): https://webmail.east.nmci.navy.mil (EMAIL CA-XX)
- NADSUSWE (Navy West OWA): https://webmail.west.nmci.navy.mil (EMAIL CA-XX)
- NADSUSEA NCIS COI (Navy NCIS OWA): https://webmail.ncis.nmci.navy.mil (EMAIL CA-XX)
- NMCI-ISF (Navy ISF OWA): https://webmail.isf.nmci.navy.mil (EMAIL CA-XX)
- PADS (Navy PADS OWA): https://webmail.pacom.mil (EMAIL CA-XX)
- PADS (Navy PACOM SMR Users OWA): https://webmail.exceptions.pacom.mil (EMAIL CA-XX)
- JTF-GNO: https://www.jtfgno.mil (EMAIL CA-XX)
Air Force:
- AF Portal (1 of 3): https://www.my.af.mil (DOD CA-XX)
- AF Portal (2 of 3): https://www.my.af.mil/EAI_JUNCTION/eai/ (DOD CA-XX)
- AF Portal (3 of 3): https://www.my.af.mil/EAI_JUNCTION/eai/auth (DOD CA-XX)
- Air Force Portal Virtual MPF Site: https://w20.afpc.randolph.af.mil/afpcsecurenet20/ (DOD CA-XX)
- Air Force Top Flite Website: https://logon.jag.af.mil (DOD CA-XX)
- Air Force Jag Site: https://aflsa.jag.af.mil/ (DOD CA-XX)


Aug 29, 2009 9:10 AM

Reply Helpful (2)

Sep 20, 2009 10:30 PM in response to mjruss In response to mjruss

I've tried all the instructions in this thread and still nothing works. I am running 10.6.1 and a Litronic 215 (all the certs show up when I open Keychain). I've added the URL for USMC (https://webmail.nmci.usmc.mil) to my email cert and still it doesn't work. I echo the frustrations of others in that I was able to do this running 10.4 18 months ago. Then all of a sudden it stopped working. I had hope that upgrading to 10.6 would again grant me access but I still cannot seem to get this right. Any help is appreciated.

Sep 20, 2009 10:30 PM

Reply Helpful

Sep 21, 2009 10:24 AM in response to sdirghalli In response to sdirghalli

I am having the same problems accessing the USMC websites. I have identical hardware (Litronic 215) and it does show up on the keychain as everything works as expected. But Safari, Mail, etc doesn't know how to look at it. I know you have to program which sites are supposed to look up the CAC card, but there is insufficient documentation out there to help us Marines out on that one. If someone knows how to upgrade the certificates on the keychain to reflect these websites it would be greatly appreciated.

Right now if I try to add an instance of a weblink it's like dropping it into a hole, and there are six identical certs when I look to add one. Is this right, or am I supposed to add the weblink to all certs? There must be an easier way!

Sep 21, 2009 10:24 AM

Reply Helpful (1)

Sep 27, 2009 7:29 AM in response to wedge07 In response to wedge07

My latest challenges are: 1) getting Outlook Web Access (OWA) into the e-mail servers for the Joint Staff, and 2) Registering my new CAC with AF Portal, as my new CAC certificates are not registered/recognized.

Setting "New Identity Preference" (from the "File" menu) for your CAC certificates is part of the battle. As other posts have noted, of the three certificates on a DoD CAC, one includes an Identity key, an E-mail Signing Key, and an E-mail Encryption key. My IT contractors at work advise me OWA requires an identity preference mated to the the E-mail signing key.

Another discovery: a previous post correctly noted the need for very accurate URL identification when creating an identity preference. Something I found helpful: creating an identity preference for "*.mil" , that is, making the URL read *.mil/(whatever) . The asterisk in the character string seems to work as you would hope/expect.

In order to get onto my OWA, I created an identity preference for the basic website ( https://owa.js.mil), and then one for the popup address that follows ( https://owa.js.mil/DODwarning). Along with a preference for *.mil, I can get about halfway there - the CAC is accessed, and I am prompted for my CAC password - but I am not sure the website actually responds, as I get an error message after the CAC is accepted:

"Safari can’t open the page “ https://owa.js.mil/DODwarning/” because the server unexpectedly dropped the connection. This sometimes occurs when the server is busy. Wait for a few minutes, and then try again."

The suggested fix is to reset Safari - this has not resolved the issue. Monday, I will ask the IT folks if I have been able to access the server at all thus far, but if anyone knows how to get past the latest Safari warning, I will be grateful.

Regarding 2): AF Portal can be accessed by CAC, only if your CAC has been registered with Portal ahead of time. Although I could get to Portal with a username/password, Gunter Annex could not help register my CAC from within Portal. I will go back to work, register the card again, and see if it works from home.

Sep 27, 2009 7:29 AM

Reply Helpful

Oct 28, 2009 10:24 PM in response to mjruss In response to mjruss

EDS came out with instructions on doing this with NMCI (Navy CONUS network). I don't have a link and I can't attach the doc (it's long), but instructions are out there. Contact your IA guys. If they're any good, they have instructions. Otherwise, send me your email and I'll see it to you.

Oct 28, 2009 10:24 PM

Reply Helpful

Nov 12, 2009 8:51 AM in response to mjruss In response to mjruss

I will portly get dinged for this here but Apple Federal and I have been working on this and I have a post on my blog on how to do this. Apple Federal has been directing their clients here so I hope this helps.

How to setup Safari to access DOD sites:
http://www.applemacgeniusville.com/2008/10/06/setting-up-safari-for-cac-login-to -dod-websites/

How to setup Firefox to access DOD Sites:

If you need other help on DOD issues, feel free to contact me. I work with Apple Federal regularly and I am also the Apple Program Lead for the US Army.

- Jonathan

Nov 12, 2009 8:51 AM

Reply Helpful
User profile for user: mjruss

Question: Accessing Secure DoD Sites with Safari and a CAC