Centrify - Securing the Cross Platform Data Center
Showing results for 
Search instead for 
Do you mean 

The Centrify Apple Guys

LMcAndrew

OS X 10.7.3 and Smart Card Support

by ‎02-02-2012 02:20 PM - edited ‎05-10-2012 03:48 PM

This article has been marked obsolete due to the release of 10.7.4. You can read the update here. 

http://community.centrify.com/t5/The-Centrify-Apple-Guy/OS-X-10-7-4-and-the-Smart-Card-login-window/...

If you are using 10.7.3 and smart cards, please update to 10.7.4.

 

We've just received the 10.7.3 released version of OS X.

We did some testing with smart cards and can confirm that the login dialog now properly prompts for the smart card PIN when the card is inserted. 

 

First a little background information. When 10.7 was released, Apple had removed the drivers to support specific smart cards types, but left in the underlying smart card infrastructure. Centrify has built  replacement smart card drivers in our DirectControl product. We provide native support for CAC, CACNG and PIV smart cards.

This was available when 10.7 shipped, but a small issue existed with the login screen. It wouldn't properly recognize when a card was inserted into a reader, and the user wasn't prompted to enter their pin.  

 

Fast forward to 10.7.3 and now the small issue with the login screen has been partially resolved. 

 

However, there's a trick to it.

 

If your login window is configured to display the Username and Password prompt, then it won't work. When the card is inserted the login screen will go blank.

 Blank Login

 (No pin prompt is displayed. In fact, nothing is displayed)

 

You need to set the login window to display the "List of Users". 

 

Screen Shot 2012-02-02 at 1.49.29 PM.png

 

Now when you return to the login window and insert your card, you will see something like this : 

 

_smartcardLoginWindowII.png

 

This display problem is a bug and it's been reported to Apple.

 

However, if the card is inserted and the screen doesn't change, or blink, or switch to the pin prompt, or go blank it means you have other problems related to your smart card trust chain.  We've done a lot of work figuring out how to diagnose those types of problems.

 

Contact us at Centrify and we'll help you out.

Comments
by iRick on ‎02-04-2012 01:02 AM

is it possible to somehow buy a smart card for personal (like not for government) use and log into Mac OS X with it?

by on ‎02-13-2012 11:13 AM

I see a few challenges here : 

 

I'm not sure how you buy one smart card. 

 

Our customers set up a whole smart card/PKI system that's integrated into Active Directory. 

 

I don't think you can link a personal smart card to your Active Directory account. 

 

If other readers have any ideas, hopefully they can contribute.

 

 

 

by Timo on ‎03-07-2012 04:06 AM

You could take a Smart Card and connect the Smart Card hash with your account, as long as it is availiable locally on the Mac (I used it with a Mobile Home account). Here is how:

    Get hash of the card: In the Terminal enter 'sc_auth hash'
    Copy the hash you need (it's your card, you will have to know which one it the right one).
    Connect the hash to your account: In the Terminal enter 'sc_auth accept -u USERNAME -h HASH' where USERNAME is your users shortname and HASH is the hash you copied in step 2.
    Now log out and try to log in with your card.

Have fun.

Timo

by enrique suarez garcia(anon) on ‎01-23-2013 03:04 PM

bueno

 

Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.