DOD CAC Reader

First, you need to use an SMC SRC-331 reader.
Firmware must be 5.18 or higher.

Last I checked, you'll have to do the update on a Windows box.

You do not need drivers for the CAC reader.

There are many threads in the Apple Federal discussion list server.

You cannot use cac_setup on 10.4, nor can you use the FSCP in the apple federal store.

It's a completely different process.

HOWEVER, step 2E of the activation process requires a .diff file, which of course, can be attached here.

CAC Login For Mac OS X 10.4.6


1.Insert CAC in Reader

2.login as root

a. open a terminal window, and issue the following series of commands.

b. sc_auth hash [returns 3 lines of hash codes: Identity, Email Signing & Email Encryption]

c. sc_auth accept -u myuser -h <identity hash_from_step2b> [Substitute your user name for ‘myuser’]

d. nidump –r /users/myuser . [Make sure you include the dot.. This is to make sure user authentication authority is set up correctly. myuser is your user id]

e. Save the attached diffs file in an easy-to-get-to location. like the "Users" folder

f. cd /etc

g. cp authorization authorization.orig

h. patch -u -o /tmp/authorization.smartcard authorization.orig /users/smartcardauthdiffs.dat

i. diff -b /tmp/authorization.smartcard authorization.orig cp /tmp/authorization.smartcard authorization

3. Log out and you should see the box for your PIN instead of your Password

If you remove your CAC card, the screen will revert to userID/password.

Reinsert your CAC, wait a second or two, and your name and a prompt for PIN should appear.

Then there is the standard DOD warning....which is something else...

I've got an instruction set on how to do that...will post that as soon as I find it....

For the DOD warning, if you are on OS 10.3.x:

In Library/Preferences, edit the file: com.apple.loginwindow.plist

At the top of the file, right after:

<plist version="1.0">
<dict>

Insert the following text:

<key>LoginwindowText</key>
<string>This system blah, blah, blah, blah... the standard warning, as long as you'd like. Scroll bars will be added for really long ones.</string>

Note the capitalization in the key is vital. If not the same as above, it will not work


If you are on 10.4.x, you will need to use this process:
(You need to be root or su)

Open a terminal window.
Open a finder window and navigate to
Mac HD/Library/perferences

In the terminal window, issue
plutil -convert xml1 (drag and drop the file com.apple.loginwindow.plist from the finder window to the terminal window)

This will convert the binary plist into an XML plist which can then be edited in a text editor.
Open text editor, insert the appropriate key and string as shown above.
Save the file

Then in th terminal window issue

plutil -convert binary1 (drag and drop the com.apple.loginwindow.plist file from the finder window to the terminal window)

Which converts the XML version back to binary.
Reboot, and you should now have a scrolling warning box between the Apple logo and the user ids on the login window screen.

The problem is that everytime I type in the command sc_auth hash nothing comes out. I ran the psctest and it comes out successful, but that is about it. What am I doing wrong on the terminal?

Paul,

Pardon my ignorance. How can I check for a process CAC? Also, I am not sure what you meant aboout the Active or Open Directory.
I am new to MACs and not very proficient with these stuff.

What I am trying to access is MS Webmail at webmail.nmci.usmc.mil
It asks for a PIN after it reads my certificate. What directory the card needs to bind to, i have no idea.

You have given me more stuff than what I can find on the internet or the apple site. I am wondering why there is not a install process out there similar to a PC that will simplify all this stuff.

The problem is that everytime I type in the command
sc_auth hash nothing comes out. I ran the psctest
and it comes out successful, but that is about it.
What am I doing wrong on the terminal?

Your profile says MacBook Pro & MacBook.

I'm guessing you are having the problem on the MB Pro?

I actually have the MacBook Pro and my wife has the Macbook. I am trying to setup the CAC reader on the MacBook Pro.

I am new to Mac and getting really frustrated. I've contacted ActivCard and Saflink Litronic regarding CAC and MAC and both couldn't help. I appreciate if someone can write a procedure that breaks down complicated procedures to layman terms. I know several Marines currently in Iraq and in Afghanistan who are having the same problems and asking for help on this issue. I emailed Apple Federal folks and so far nothing from them. I am a little bit disappointed on Apple's support on this matter. This will actually make my life easier. Right now, if I travel on official duties, i am forced to lag around heavy PC Laptops in order to do my work instead of my high-priced MacBook Pro.

Anyone out there who can solve this issue, please chime-in and help us out.

Thanks

Semper Fi

go here:

http://lists.apple.com/mailman/listinfo/fed-talk

and join the list server.

Once you have joined, repost your question.
Specify you have an intel mac.

Also, once you are on the list-serv, one of us will then be able to e-mail you the smartcardauth.diff file you'll need to complete the process.

Finally solved my problem.

My problem was that I couldn't bind the card to the directory. I actually had it all along. I have a MB Pro running MAC OS X 10.4.8.

To make the CAC work with MAC OSX 10.4.X to access the NMCI Outlook Web Access ( https://webmail.nmci.usmc.mil, the following steps must be followed:

1. Flash the firmware on the CAC Reader.
2. Enable the certificates on the MB Pro, if unable to enable the certificates on the MB Pro, copy the certificates from the work computer to the MB Pro.
3. Use the CAC reader and the CAC and access the OWA.

That is it.