Issues with OS X 10.10.2
02-05-2015 06:41 AM - last edited 12-21-2015 01:55 AM
Centrify Express for Smart Card has been working fine for me, up until the 10.10.2 update. I have uninstalled, cleaned the cache and reinstalled Centry Express, but it does not make a difference. The issue is the smart card is not completely recognized the first time you stick it in the card reader. It does show up in Keychain Access, but you cannot unlock it. Also, only some of the information on the card shows up in Keychain Access (3 of the 4 certs for example). Removing the card and re-inserting it usually resolves the issue; everything appears in Keychain Access and the card can be unlocked and used. My particular card is a Gemalto DLGX4-A 144, but I believe it is happening with other cars as well. As I said, nothing like this happened prior to 10.10.2.
Solved! Go to Solution.
02-05-2015 06:51 AM
Just thinking of eliminating variables - What model of smart card reader are you using with the Mac?
Do you have access to an alternative reader (ideally a different model) and see if the issue still exists when using that to read the card?
If you still get partial info shown in the Keychain with different readers, then we know it's something on the software side. If the card shows up ok with a different reader, then we'll know it's something with the original reader itself.
02-05-2015 07:44 AM
Have you made sure the card readers are on the latest firmwares?
- You should be able to select your model and download the firmwares from here:
- There are also instructions provided here
02-05-2015 10:35 AM
So militarycac agrees that the SCR3310 v2 should work with OS X 10.10 (though the .2 is not confirmed)
The manufacturer page does have a later driver version than what's on militarycac though, so it might be worth updating that piece as well to be sure:
- (MacOS X driver download is at the bottom of the page)
You mentioned that you already tried clearing the cache and reinstalling, but I want to make sure we're covering all our bases - could you go through the Cleanup and Reinstall steps here so that we have a verified baseline:
The fact that it's returning only a partial set of all the certs on your card is most puzzling of all.
If possible, could you also confirm if the same thing also happens for other smart cards in the same reader as well?
02-05-2015 12:18 PM
The driver download at the manufacturers site is from 2012, predating OS X 10.9 and 10.10, so I would be very reluctant to install it. As I said, 10.9-10.10.1 all worked as expected with exactly the same hardware and smart cards, and using whatever driver Apple includes (we have never installed anything besides Centrify to enable smart card support).
Yes, those are the cleanup and reinstall steps I followed this morning before verifying that the problem still existed.
Yes, the same thing happens with other smart cards in the reader, in particular the G&D FIPS 201 SCE 3.2 card did exactly the same thing.
02-05-2015 12:55 PM
Thanks for confirming the steps.
Now that we have a definite baseline, I can ask our engineers to look into this and see if there is anything that needs to be done or insight that they could provide.
A completely wild theory by myself would be that 10.10.2 is doing some extra processing that is "slowing down" the reading of the card data.
- The first time you insert the card, it's somehow not able to read all the info off the card in time and so only pulls in some of the card info.
- When you take it out and put it back in, it already has some of that card data read in and so just needs to pull the rest of the info off and properly populate the keychain.
This is pure conjecture, but it might explain the behaviour that you're seeing.
One extra thing that might be helpful:
- When you insert the card the first time, is the card prefix in the keychain shown as "CAC", "CACNG", "PIV" or something else?
- Then when you insert the card a second time to get the full cert load, does this string change, or is the card type and serial number in the keychain name exactly the same as the first insert?