CAC card reader no longer working with Mac High Sierra 10.13.6

Showing results for 
Search instead for 
Do you mean 
Reply
Participant I
Posts: 1
Registered: ‎09-24-2018
#1 of 2 525

CAC card reader no longer working with Mac High Sierra 10.13.6

I've had no issues with my CAC reader/access until today.  I am using a SCR3310 v2.0, Mac High Sierra 10.13.6 and Centrify smart card assistant 5.4.2.  In keychain, I already deleted all websites with Identity Preference all all DOD certs.  New DOD certs were installed via MilitaryCAC.com.  

 

In Centrify, the card status never gets past "Authentification attempts remaining: 2."

 

Thank you for any help you can provide.

 

Below is the log file from Diagnositics (I've removed email addresses below):

 

Smart card: VERGA.JARED.MICHAEL.1249313420
Certificate: /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=USN/CN=VERGA.JARED.MICHAEL.1249313420
** This certificate has no NT Principal Name
** This certificate has not been mapped to any user
Not valid before: Wed May 05 24 00:00:00 2017 UTC
Not valid after: Sat May 05 23 23:59:59 2020 UTC
This certificate is valid
Policies specified: .2.16.840.1.101.2.1.11.42,
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD ID CA-41
Not valid before: Mon Nov 11 09 16:13:56 2015 UTC
Not valid after: Tue Nov 11 09 16:13:56 2021 UTC
This certificate is valid
This certificate is trusted by the domain
Policies specified: .2.16.840.1.101.2.1.11.36, .2.16.840.1.101.2.1.11.39, .2.16.840.1.101.2.1.11.42, .2.16.840.1.101.3.2.1.3.13, .2.16.840.1.101.3.2.1.3.17,
Require Explicit Policy at depth 0
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 3
Not valid before: Tue Mar 03 20 18:46:41 2012 UTC
Not valid after: Sun Dec 12 30 18:46:41 2029 UTC
This certificate is valid
This certificate is trusted by the domain
** This certificate cannot be used for pkinit
Certificate: /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=USN/CN=VERGA.JARED.MICHAEL.1249313420
Email Address: 
NT Principal Name: 1249313420@mil
Not valid before: Wed May 05 24 00:00:00 2017 UTC
Not valid after: Sat May 05 23 23:59:59 2020 UTC
This certificate is valid
Policies specified: .2.16.840.1.101.2.1.11.42,
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-41
Not valid before: Mon Nov 11 09 16:05:27 2015 UTC
Not valid after: Tue Nov 11 09 16:05:27 2021 UTC
This certificate is valid
This certificate is trusted by the domain
Policies specified: .2.16.840.1.101.2.1.11.36, .2.16.840.1.101.2.1.11.39, .2.16.840.1.101.2.1.11.42, .2.16.840.1.101.3.2.1.3.13, .2.16.840.1.101.3.2.1.3.17,
Require Explicit Policy at depth 0
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 3
Not valid before: Tue Mar 03 20 18:46:41 2012 UTC
Not valid after: Sun Dec 12 30 18:46:41 2029 UTC
This certificate is valid
This certificate is trusted by the domain
This certificate can be used for pkinit, testing:
** Data signing failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Signature verification failed: Unknown PKCS#1 padding type 0x45
Public key encryption succeeded
** Private key decryption failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Private key encryption failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Public key decryption failed: Unknown PKCS#1 padding type 0x1f
Certificate: /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=USN/CN=VERGA.JARED.MICHAEL.1249313420
Email Address: 
** This certificate has no NT Principal Name
** This certificate has not been mapped to any user
Not valid before: Wed May 05 24 00:00:00 2017 UTC
Not valid after: Sat May 05 23 23:59:59 2020 UTC
This certificate is valid
Policies specified: .2.16.840.1.101.2.1.11.39,
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-41
Not valid before: Mon Nov 11 09 16:05:27 2015 UTC
Not valid after: Tue Nov 11 09 16:05:27 2021 UTC
This certificate is valid
This certificate is trusted by the domain
Policies specified: .2.16.840.1.101.2.1.11.36, .2.16.840.1.101.2.1.11.39, .2.16.840.1.101.2.1.11.42, .2.16.840.1.101.3.2.1.3.13, .2.16.840.1.101.3.2.1.3.17,
Require Explicit Policy at depth 0
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 3
Not valid before: Tue Mar 03 20 18:46:41 2012 UTC
Not valid after: Sun Dec 12 30 18:46:41 2029 UTC
This certificate is valid
This certificate is trusted by the domain
** This certificate cannot be used for pkinit

Highlighted
Centrify Contributor III
Posts: 86
Registered: ‎09-23-2015
#2 of 2 495

Re: CAC card reader no longer working with Mac High Sierra 10.13.6

Hi @JV0331,

 

Welcome to Centrify community!

 

May we know what are the recent changes that was performed even since the CAC card stop working?

 

Also, if possible can you perform an upgrade to our latest 5.5.1 agent to see if that helps on the issue?

 

If it's still fail, can you help run the following command in terminal:

 

sctool -D > /tmp/sctool.log

 

Please send us the /tmp/sctool.log for further investigation. Thank you!

 

BR,

Ivan