× Welcome to the Centrify Community! Looking for Express & Smart Card Help? Click Here

macOS Sierra 10.12.2 DOD CAC Access Issues

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 3
Registered: ‎12-27-2016
#1 of 16 4,167

macOS Sierra 10.12.2 DOD CAC Access Issues

Please Help,

 

I'm unable to access web.mail.mil or us.army.mil (AKO) via CAC/PIV. 

Common error I receive is "Safari can't establish secure connection to the server 'certificate.us.army.mil'  or safari can't open page because the server unexpectedly dropped the connection (server busy...try again...etc)

Same thing for https://jkodirect.jten.mil/ 

 

My CAC shows up in my Keychains as CACNG and I can read the info on the CAC (The reader LED light is solid green when CAC is inserted).

I added the SystemCACertificates into keychains as well as into System

I added MacAllCerts and MacRootCert 2,3, and 4 into System and Login

DOD Root CA 2 certificate was modified to always trust (I read on one thread to delete this cert but haven't yet)

I have run the Centrify diagnostic tool and saved a copy of the log.

 

I'm running a new

MacBook Pro (Retina, 15-inch, Mid 2015)

   macOS Sierra 10.12.2

CAC Reader:

    SCR33xx v2.0 USB SC Reader:  Version: 6.01

Centrify Express for Smart Card 5.3.3

 

I am a single persona user and have not installed any other CAC enablers other than Centrify and have un/reinstalled multiple times clearing out the tokends as directed on this forum as well as militaryCAC.

I'm simply trying to access these CAC enabled DOD websites to be able to check .mil emails and to complete required training courses as a satellite employee working from home.

I'm computer savvy enough to be dangerous but can follow your instructions (i.e., I'm 'dumb' but trainable ;))

 

Thanks in advance for your help

 

Centrify
Posts: 21
Registered: ‎09-23-2015
#2 of 16 4,109

Re: macOS Sierra 10.12.2 DOD CAC Access Issues

Hi @MikeMike,

 

Welcome to the Centrify community!

 

Couple things I have noticed according to your description:

 

1)  SystemCACertificates is NOT needed to add into Keychain

 

Therefore, please first remove it from the Keychain first.

 

2) Also please remove the 2 old DoD certificates as well.

 

3) Once done, please access into the following website to download the appropriate DoD rootCA certs:

 

https://militarycac.com/macnotes.htm

 

Once done with the instructions above, please give it a try again and keep us posted with the result. Thank you!

 

BR,

Ivan

Participant II
Posts: 3
Registered: ‎12-27-2016
#3 of 16 4,085

Re: macOS Sierra 10.12.2 DOD CAC Access Issues

Ivan,

Thanks for responding. I'm still dead in the water.

 

1) SystemCACertificates is NOT needed to add into Keychain
Therefore, please first remove it from the Keychain first.

    
I removed the SystemCACertificates keychain.

 

2) Also please remove the 2 old DoD certificates as well.

 

I don't know which specific certificates are the 2 old DoD certs to remove, so that hasn't been done.

 

3) Once done, please access into the following website to download the appropriate DoD rootCA certs:

 

I have all of the DoD CA certs as well as rootCA certs, 2, 3, and 4 loaded in both the login and system keychains. This redundancy shouldn't be a problem, correct? Previously, I only had them saved in the login keychain. 

 

I've attempted to reaccess CAC enabled sites and am receiving the same "Safari can't open the Page... Safari can't establish a secure connection to the server for "x certificate" (.mil sites)

 

I've opened Centrify in Utilities and it shows Card Status: <Blank>  Reader: SCR 3310 Status: Authentication attempts remaining: 3.

 

Thanks in advance for your help, again.

 

 

Participant II
Posts: 3
Registered: ‎12-27-2016
#4 of 16 4,079

Re: macOS Sierra 10.12.2 DOD CAC Access Issues

Update:

Still no change regarding CAC access; unable to access sites via CAC

 

On at least two .mil sites I'm getting similar error messages:

"Safari can't open the page "https://xxxxxxxxxx" because the server unexpectedly dropped the connection. This sometimes occurs when the server is busy. Wait for a few minutes and then try again."

 

What is interesting is that I'm getting the same message whether the CAC reader is plugged in or not when trying to access these sites. But, I can see the proper CAC Keychain and certificates when the CAC reader is plugged in with the CAC inserted. In layman terms, it seems as if the websites can't 'see' the CAC and certs even though they are quite visible on the computer itself???

I hope I haven't confused the issue.

Centrify Advisor III
Posts: 73
Registered: ‎02-18-2015
#5 of 16 4,032

Re: macOS Sierra 10.12.2 DOD CAC Access Issues

Hi MikeMike,

 

Thanks for your update. 

 

Could you help to provide us the diagnostic log from Centrify Smart Card Assistant:

 

1. Open up Smart Card Assistant

2. Go to Diagnostics

3. Click "Run" and it will require to input the PIN

4. Once finished running, please click "Save to Desktop" to save the diagnostic

 

Please upload the file or paste the diagnostics to this post. Thanks!

 

Regards,

Albert

Participant II
Posts: 2
Registered: ‎01-25-2017
#6 of 16 3,874

Re: macOS Sierra 10.12.2 DOD CAC Access Issues

I am having issues as well:

 

CACNG

SCR3500 reader

OS X 10.12.2

Centrify 5.3.3

 

If I unlock the Keychain via Outlook everything works fine there reading and sending S/MIME, but if, while the card is unlocked in Keychain, I try to access a CAC-protected website via Chrome or Safari it fails with SSL private key not found errors.  If I then manually lock the CAC in Keychain and try again in Chrome/Safari they prompt for my CAC pin and everything works fine.

 

I think there is a conflict between Keychain Access and WebKit networking: if Keychain has the CAC unlocked then WebKit networking cannot use it and vice-versa. Not sure this is a Centrify or OS X issue.

Centrify
Posts: 21
Registered: ‎09-23-2015
#7 of 16 3,853

Re: macOS Sierra 10.12.2 DOD CAC Access Issues

Hi @akreffett,

 

Welcome to Centrify community!

 

I believe it's easier for us to further investigate the issue with the proper log files. Therefore, please help perform the following to provide us the Dignostic output:

 

- Open Smart Card Assistant

- Nevigate to Diagnostics tab

- Press "Run" in the right bottom (You will require to input the PIN)

- You could save the output to Desktop by clicking "Save to Desktop" at left bottom.

 

Meanwhile, please get us the /var/log/system.log for further investigation.

 

Please let us know if you have any questions.

 

Kind Regards,

Ivan Chan

Participant II
Posts: 2
Registered: ‎03-09-2017
#8 of 16 3,236

Re: macOS Sierra 10.12.2 DOD CAC Access Issues

Was there any resolution to this issue? I have a Sierra Macbook that we just imaged that is having the same exact issues.

Centrify Advisor III
Posts: 73
Registered: ‎02-18-2015
#9 of 16 3,226

Re: macOS Sierra 10.12.2 DOD CAC Access Issues

Hi dciciora,

 

Welcome to Centrify.

 

We are waiting for a diagnostic log to understand better what the issue is and how to solve it. If you are seeing the same, could you refer to Ivan's comment above and collect us a set of diagnostic log? Please also help to provide the type of card and the version of smartcard assistant that you are using. Thank you!

 

Best Regards,

Albert

Participant II
Posts: 2
Registered: ‎03-09-2017
#10 of 16 3,198

Re: macOS Sierra 10.12.2 DOD CAC Access Issues

I have the logs, but where do I upload them too? Or do I just paste it here?

 

I am using a DoD Military CAC, GEMALTO DLGX4-A.

 

I am using CentrifyDC 5.4, and whatever smart card assistantant goes with it.