PIV Card Woes with Citrix Viewer

Question

PIV Card Woes with Citrix Viewer

I'm wondering if anyone has gotten their PIV Smart Card to work reliably for remote access to their Department of Veteran's Affairs computer account using Citrix Viewer.

I have:

MacBook Pro running OS X El Capitan 10.11.3

SCM SCR3500 A smart card reader

PKard 'middleware' smart card software

Citrix Viewer 12.0.0

Safari 9.0.3

After many hours of tech support calls I was finally able to log on remotely with my PIV card and PIN, but when the Citrix viewer window times out- it prompts me for my PIN three times then crashes. I get a "Safari Cannot find server....' message. If I have apps open I can continue to work, but if I close them, I cannot usually log back on. I've tried closing the Safari window, closing Safari and restarting it and even restarting the computer and usually still can't log back in. If I wait a few hours or overnight, I might be able to log in.

Has anyone had similar problems and found a fix?

MacBook Pro, OS X El Capitan (10.11.3)

Posted on Mar 7, 2016 2:50 PM

Reply

Answer 1

Mar 21, 2016 7:30 AM in response to Danielfromst petersburg

Dan

Before posting my thread I did a search and did NOT find yours until afterward for some reason. I think we are both dealing with the same crazy issue and I was wondering if you found anything to use with your Mac system for a PIV Card?

This is what I just posted now:

Any Gov Employees Using "PIV Card" Readers?

I was told there are ZERO chances of using a PIV Card on any Mac but this cannot be so (Can it?) lol.

Ive read there are others using "CAC Cards" via Mac but why no PIV use? And why isn't there any software to allow the Gov Car Reader to be recognized for the purpose of using our VA Badges to log on? Are you also using the Mobile Pass OTP Token System to log in via CAG? UGH!!

Reply

Answer 2

Mar 21, 2016 8:35 PM in response to GunnyFitz

GunnyFitz

I am using my PIV card with my Mac but it is pretty clunky. Here's what I have to do.

Insert the PIV card in the reader before connecting to the CAG site

Log in by Clicking the PIV login Icon and entering my PIN

Wait for Citrix to load- THEN REMOVE THE CARD FROM THE CARD READER

If you don't remove the card you cannot start any applications

When you start an application- you get a Windows Log On screen- DON'T TRY TO USE YOUR CARD- click Other User and use your password

The App will start

When you start subsequent apps- a dialog box will pop up with a certificate highlighted- click CANCEL and the app will start (if you click CONTINUE it will prompt you 3 times and crash)

Not elegant, tiresome, but it works.

The only thing is that if you need to log back on with in an hour or so of logging off- you may have to restart your computer.

Reply

Answer 3

Mar 21, 2016 8:41 PM in response to GunnyFitz

Forgot to mention- I am in a "PIV Enforced" group, from my understanding I am not permitted to use Mobile Pass so I haven't tried. (But, I have considered removing my Sun Pass transponder from my car and sticking it on the computer- If it works at all- it might be better than my PIV card.)

Reply

Answer 4

dr.nixon

Level 1

17 points

Jul 18, 2016 7:02 AM in response to Danielfromst petersburg

Absolutely. This is the same "fix" that was found to work at our VA - pull card out BEFORE launching the CAG. However, once CAG has been launched, and you get the login prompt, you're safe to plug the card back in again and then use PIV for login (as of Aug 4 2016, you will HAVE to do this - no password accepted for login after that date).

One user has had issues with incorrect credentials - he has to open Keychain and clear anything saved that includes "CAG" between logins, but otherwise things work.

With proper middleware installed (OpenSC, pre-release beta) we got it to work in Firefox as well, same issue with having to pull card, but the behavior was more erratic - user was unable to log out without a program hang, and was hit with weird repeated login requests during the process. Stick with Safari for now, unless the middleware has finally been updated to a release version that works with El Capitan.

Reply

Answer 5

Redaunt

Level 1

4 points

Sep 12, 2016 5:53 AM in response to Danielfromst petersburg

when I try to log in using PIV (and by that I mean just clicking on the PIV log on icon), I get this message:

Error: Access is Denied. Client SSL Certificate Invalid.

I can't even do the put the PIV card in, take it out maneuver.

Reply

Answer 6

Sep 27, 2016 6:07 AM in response to Danielfromst petersburg

This problem has definitely been solved. I have El Capitan 10.11.6 and login without problems with my PIV.

Here is what you do:

1. Go to: http://rescue.vpn.va.gov/ and login

2. On the left side menu go to Citrix(CAG) and select 'Media'.

3. Scroll down to the 'Citrix Software' and download the Mac OS X 10.11 - CAG OE Remote Bundle Package.

4. Also download the Citrix Documentation > CAG OE Macintosh's User Guide

Follow the instructions and enjoy. You do have to set up your security certificates but the documentation walks you through each step. It took 10 minutes to setup and has been working well for me.

Reply

Answer 7

Oct 5, 2016 8:32 AM in response to justinkase365

Thank you justinkase365 - unfortunately for me, those instructions did not work.

I followed them completely including downloading the CAG OE Remote Bundle Package and running it, followed the Guide to Trust all the certificates, restarted everywhere I was supposed to.

For me, the error comes once an application or the desktop opens and the Windows Login Screen shows

Reading Card - the error that pops up is No Valid Certificates Found Check that the card is inserted correctly and fits tightly.

The card does fit tightly. The card works on PCs that are directly on the VA network. The card was working prior to the most recent changes.

Reply

Answer 8

Oct 5, 2016 12:15 PM in response to mikeydapple

Sorry this isn't working for you. Afraid I won't be good at troubleshooting. This has continued to work well for me this past month. A few suggestions: get a new PIV reader from the VA; and make sure you are using Safari. I've had no luck with anything other than Safari.

Reply

Answer 9

Oct 19, 2016 9:43 PM in response to mikeydapple

You may need authorization from your ISO to use remote access. It doesn't sound like a card reader issue but for what it's worth, I just got up and running with the SCR3310v2 reader using the Firefox Browser (on an iMac). Since you got as far as you did, it tells me everything is set up correctly and that you should look to make sure you have the appropriate certificates - which would be done via your internal information security officer (ISO).

Reply

Answer 10

Oct 26, 2016 8:13 AM in response to vhastcwirthj

I have authorization, as I'm able to use my PIV for CAG access from a PC. This seems to have something to do with El Capitan and Citrix as far as I can tell, but don't know enough to troubleshoot further.

Reply

Answer 11

Cerniuk

Level 1

27 points

Nov 9, 2016 6:47 AM in response to Danielfromst petersburg

In my case it is a pure macOS 10.12.1 installation with no extra smart card supporting software. Just the native smart card support used with a standards based reader (SCM SCR5300). It works fine for a while then it develops SSL problems and shows this in the browser:

"Error: Access is Denied. Client SSL Certificate Invalid."

If I create another macOS user account, it works fine in there for a while, then develops the same problem. If I rebuild my machine from scratch and hand move all my data back in folder by folder, it works fine for a while and develops the problem. If I rebuild my machine from scratch and restore my account from Time Machine... same story.

Right now I have to create a new user account every couple of days...

Reply