× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

NOT-WORKING - CAC CARD INSTALL & DOD CAC ENABLED WEBSITES

Showing results for 
Search instead for 
Do you mean 
Reply
Participant I
Posts: 1
Registered: ‎04-24-2017
#1 of 2 1,053

NOT-WORKING - CAC CARD INSTALL & DOD CAC ENABLED WEBSITES

I have done the install and then the trouble shooting for Installing CAC card reader, enabler, and particular Certificates for CAC card as suggested on militarycac.com.  I have also tried the trouble shooting of these as well.   I can now use CAC card to digitally sign in Adobe, but am no longer prompted to use it to sign into my computer.  I have tried signing into my mail.mil account using Safari, Chrome, Firefox (manually installed the CERTS/Authorities and manually "trusted" them for Firefox).  I went through all the certs in my keychain and manually trusted the "x" ones.  I have also deleted the certs specified on miltirarycac.com to delete for Mac Users.  I have done so much trouble shooting, deleting, and manipulating that I am afraid I don't know if I have messed things up more or actually fixing things?   This is a new computer and my CAC card has never worked properly (I first had a Cherry ST-1044 USB Smart Card, websites did not work, adobe digital sign did not work, and it was not showing up properly in my keychain or in my "about MAC").  It did however work when I started up my computer - it used CAC as sign-in instead of username/PW (with my new SCR 3310 this does not work).  I changed CAC card readers to the SCR 3310 v2 in hopes that this would work, no luck.  Note I can access these Websites Via my FED Dell, My personal Dell, and my State GOV Dell.

 

Here are the details of my software/hardware: 

1)  MacBook Pro Late 2017 w/ Touch Bar with integrated Touch ID sensor

2) OX Sierra 10.12.4

2) SCR 3310 v2 CAC card reader

3) Browser - Safari Version 10.1 (12603.1.30.0.34)

4) Chrome - Version 57.0.2987.133 (64-bit)

5) FireFox - 52.0.2 (64-bit)

6) Centrify Smart Card Assist Version 5.3.3 (533602)

7) security/anti virus (Have avast free, but it is not installed - wanted to figure out cac card issue first)

8) CAC Card Chip Type GEMALTO DLGX4-A 144

 

 Websites I need to access (representative list) - Errors on Chrome (different errors on Safari & Firefox, but still cant login).  I have also tried clearing all cookies & browsing history and allowing all exceptions for these sites, and adding "trust" to all content types for these sites.  

1. AKO https://www.us.army.mil

  • Chrome -Click on sign-in using cac - Cac credentials popup and I select DOD IS CA-33 with my name- error message after type in CAC pin - https://www.us.army.mil/suite/login/cacRegError.ext?error=7  (I called AKO to see if there were other issues for this site, and they have reset my account to make sure) - I will wait on this issue.

2. GKO -https://gko.ngb.army.mil/ -

  •   chrome        splash loads fine, but then login gives me ERR_TIMED_OUT when trying to reach - https://gkoportal.ng.mil Firefox - splash loads fine - then no popup to select CAC details and no prompt for pin then I get the error  page
  • Safari - splash works fine
    • does not pop up for profile CAC selection or CAC Pin then I get this page

 

3. EMAIL 

 

    • CHROME
      • https://web.mail.mil  then after click ok on splash page  I select from drop down my email cac profile and enter pin.  In Chrome = ERR_TIMED_OUT.  When I use https://web-mont01.mail.mil/ I get ERR_SSL_PROTOCOL_ERROR occurs with this email URL 
      • OR for web.mail.mil will give me

"Your session could not be established.

  • The session reference number:  12c2e4de
    BIG-IP can not find session information in the request. This can happen because your browser restarted after an add-on was installed. If this occurred, click the link below to continue. This can also happen because cookies are disabled in your browser. If so, enable cookies in your browser and start a new session.
  • Thank you for using BIG-IP.
  • To open a new session, please click here."

 SCREEN SHOWS - WITH OUTLOOK ICON & LOGO

  • Use the following link to open this mailbox with the best performance:
  • Connected to Microsoft Exchange
      • then IN REDIRECT SPLASH POLICY PAGE I click okay from policy page I get this error

"Your session could not be established.

The session reference number:  b896d5aa

Access was denied by the access policy. This may be due to a failure to meet access policy requirements. 

If you are an administrator, please go to Access Policy >> Reports : All Sessions page and look up the session reference number displayed above.

To open a new session, please click here."

 

        • Firefox 
          • for https://web.mail.mil & https://web-mont01.mail.mil/owa - I get to the splash policy page, click okay, then I get this error (same with the exception of the URL address)
          • Secure Connection Failed
            An error occurred during a connection to web.mail.mil. SSL peer was unable to negotiate an acceptable set of security parameters. Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT
            The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
            Please contact the website owners to inform them of this problem.

 

I ws going to try to attach the screenshots I had of everything, but I am unable to do that or put them in text, so hopefully what I have provided is enough.  Below is the log from centrify.

 

Thank you in advance, any help/advice would be greatly appreciated (as apple, the G6 and other Fed IT have not been any help),

Shelby

 

 

CENTRIFY RUN 20170424 - 1321

Smart card: MANNEY.SHELBY.ARICA.1516595198

Certificate: /C=US/O=U.S.

Government/OU=DoD/OU=PKI/OU=USA/CN=MANNEY.SHELBY.ARICA.1516595198

** This certificate has no NT Principal Name

** This certificate has not been mapped to any user

Not valid before: Mon Jun 06 07 00:00:00 2016 UTC

Not valid after: Fri Dec 12 01 23:59:59 2018 UTC

This certificate is valid

Policies specified: .2.16.840.1.101.2.1.11.9, .2.16.840.1.101.2.1.11.19,

** Could not get issuer certificate: Issuer certificate for /C=US/O=U.S.

Government/OU=DoD/OU=PKI/OU=USA/CN=MANNEY.SHELBY.ARICA.1516595198 not found

** This certificate cannot be used for pkinit

Certificate: /C=US/O=U.S.

Government/OU=DoD/OU=PKI/OU=USA/CN=MANNEY.SHELBY.ARICA.1516595198

Email Address: shelby.a.manney.nfg@mail.mil

NT Principal Name: 1516595198@mil

Not valid before: Mon Jun 06 07 00:00:00 2016 UTC

Not valid after: Fri Dec 12 01 23:59:59 2018 UTC

This certificate is valid

Policies specified: .2.16.840.1.101.2.1.11.9, .2.16.840.1.101.2.1.11.19,

Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-33

Not valid before: Tue Sep 09 23 13:34:57 2015 UTC

Not valid after: Tue Sep 09 22 13:34:57 2021 UTC

This certificate is valid

This certificate is trusted by the domain

Policies specified: .2.16.840.1.101.2.1.11.5, .2.16.840.1.101.2.1.11.9,

.2.16.840.1.101.2.1.11.17, .2.16.840.1.101.2.1.11.18, .2.16.840.1.101.2.1.11.19,

.2.16.840.1.101.3.2.1.3.26, .2.16.840.1.101.3.2.1.3.27,

Require Explicit Policy at depth 0

Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2

Not valid before: Sun Dec 12 13 15:00:10 2004 UTC

Not valid after: Tue Dec 12 05 15:00:10 2029 UTC

This certificate is valid

This certificate is trusted by the domain

This certificate can be used for pkinit, testing:

Data signing succeeded

Signature verification succeeded

Public key encryption succeeded

Private key decryption succeeded

Decrypted data matched original

Private key encryption succeeded

Public key decryption succeeded

Decrypted data matched original

Certificate: /C=US/O=U.S.

Government/OU=DoD/OU=PKI/OU=USA/CN=MANNEY.SHELBY.ARICA.1516595198

Email Address: shelby.a.manney.nfg@mail.mil

** This certificate has no NT Principal Name

** This certificate has not been mapped to any user

Not valid before: Mon Jun 06 07 00:00:00 2016 UTC

Not valid after: Fri Dec 12 01 23:59:59 2018 UTC

This certificate is valid

Policies specified: .2.16.840.1.101.2.1.11.9, .2.16.840.1.101.2.1.11.19,

Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-33

Not valid before: Tue Sep 09 23 13:34:57 2015 UTC

Not valid after: Tue Sep 09 22 13:34:57 2021 UTC

This certificate is valid

This certificate is trusted by the domain

Policies specified: .2.16.840.1.101.2.1.11.5, .2.16.840.1.101.2.1.11.9,

.2.16.840.1.101.2.1.11.17, .2.16.840.1.101.2.1.11.18, .2.16.840.1.101.2.1.11.19,

.2.16.840.1.101.3.2.1.3.26, .2.16.840.1.101.3.2.1.3.27,

Require Explicit Policy at depth 0

Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2

Not valid before: Sun Dec 12 13 15:00:10 2004 UTC

Not valid after: Tue Dec 12 05 15:00:10 2029 UTC

This certificate is valid

This certificate is trusted by the domain

** This certificate cannot be used for pkinit

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Centrify Advisor III
Posts: 73
Registered: ‎02-18-2015
#2 of 2 1,011

Re: NOT-WORKING - CAC CARD INSTALL & DOD CAC ENABLED WEBSITES

Hi Shelby,

 

Thank you for your inquiry and welcome to Centrify.

 

From the information you given, there are a few points that might have this failed:

 

1. The certificate that you imported, they are actually not needed to be trusted manually. If they need to be trusted manually, that means this should have something wrong with the cert itself or you did not import the DoD certs for those certs.

 

2. Have you imported the DoD certs into system keychain? It is because since 10.12, Apple dropped the SystemCACertificate.keychain, which means you will need to import all the DoD Certificates into System Keychain for now. You can have more details regarding this issue in the below thread:

 

http://community.centrify.com/t5/Centrify-Express/SystemCACertificate-keychain-not-on-system/td-p/25...

 

3. From the output of the email, it indicated that the secure connection is not able to established, it is very likely the issue was the certificates not able to recognised due to 1 & 2 above.

 

4. For the time out error, have you checked with the GKO website on if they have any issues on this? But could you also upload us a system log that with this issue reproduced and we could have a check as well? It is because either the timeout happened when trying to connect to the website or timeout during finding the certificate in the mac.

 

Also, we wanted to know if you have this working in other macs? Thank you.

 

Best Regards,

Albert