Unable to login with CAC on MAC HIGH SIERRA 10.13.6

Showing results for 
Search instead for 
Do you mean 
Reply
Participant I
Posts: 1
Registered: ‎10-24-2018
#1 of 2 402

Unable to login with CAC on MAC HIGH SIERRA 10.13.6

Hi,

 

I am unable to login to the sites I need via my card reader. I have tried on both Chrome and Safari. The military login site gives an error of "No Client Certificate presented".

 

I have removed the built-in CAC enabler for High Sierra as suggested on another website, so only Centrify remains (or at least I think I have).

 

First, I noticed on the Diagnostics instructions that it says to open Keychain and make sure the smart card reader is there. I don't see the smart card reader in there anywhere, but the status on Centrify does say "Authentication Attempts Remaining: 3". Is there something I need to do to get it into Keychain? Or perhaps I'm not looking for the right thing in Keychain.

 

Any help is greatly appreciated!

 

I ran diagnositcs and here is my log:

 

Smart card: THOMPSON.ROBERT.EARON.116531080
Certificate: /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=USA/CN=THOMPSON.ROBERT.EARON.1165310809
** This certificate has no NT Principal Name
** This certificate has not been mapped to any user
Not valid before: Thu Jun 06 07 00:00:00 2018 UTC
Not valid after: Mon May 05 20 23:59:59 2019 UTC
This certificate is valid
Policies specified: .2.16.840.1.101.2.1.11.42,
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD ID CA-41
Not valid before: Mon Nov 11 09 16:13:56 2015 UTC
Not valid after: Tue Nov 11 09 16:13:56 2021 UTC
This certificate is valid
This certificate is trusted by the domain
Policies specified: .2.16.840.1.101.2.1.11.36, .2.16.840.1.101.2.1.11.39, .2.16.840.1.101.2.1.11.42, .2.16.840.1.101.3.2.1.3.13, .2.16.840.1.101.3.2.1.3.17,
Require Explicit Policy at depth 0
** Could not get issuer certificate: Issuer certificate for /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD ID CA-41 not found
** This certificate cannot be used for pkinit
Certificate: /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=USA/CN=THOMPSON.ROBERT.EARON.1165310809
Email Address: robert.e.thompson202.mil@mail.mil
NT Principal Name: 1165310809@mil
Not valid before: Thu Jun 06 07 00:00:00 2018 UTC
Not valid after: Mon May 05 20 23:59:59 2019 UTC
This certificate is valid
Policies specified: .2.16.840.1.101.2.1.11.42,
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-41
Not valid before: Mon Nov 11 09 16:05:27 2015 UTC
Not valid after: Tue Nov 11 09 16:05:27 2021 UTC
This certificate is valid
This certificate is trusted by the domain
Policies specified: .2.16.840.1.101.2.1.11.36, .2.16.840.1.101.2.1.11.39, .2.16.840.1.101.2.1.11.42, .2.16.840.1.101.3.2.1.3.13, .2.16.840.1.101.3.2.1.3.17,
Require Explicit Policy at depth 0
** Could not get issuer certificate: Issuer certificate for /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-41 not found
This certificate can be used for pkinit, testing:
** Data signing failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Signature verification failed: Unknown PKCS#1 padding type 0x1d
Public key encryption succeeded
** Private key decryption failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Private key encryption failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Public key decryption failed: Unknown PKCS#1 padding type 0xad
Certificate: /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=USA/CN=THOMPSON.ROBERT.EARON.1165310809
Email Address: robert.e.thompson202.mil@mail.mil
** This certificate has no NT Principal Name
** This certificate has not been mapped to any user
Not valid before: Thu Jun 06 07 00:00:00 2018 UTC
Not valid after: Mon May 05 20 23:59:59 2019 UTC
This certificate is valid
Policies specified: .2.16.840.1.101.2.1.11.39,
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-41
Not valid before: Mon Nov 11 09 16:05:27 2015 UTC
Not valid after: Tue Nov 11 09 16:05:27 2021 UTC
This certificate is valid
This certificate is trusted by the domain
Policies specified: .2.16.840.1.101.2.1.11.36, .2.16.840.1.101.2.1.11.39, .2.16.840.1.101.2.1.11.42, .2.16.840.1.101.3.2.1.3.13, .2.16.840.1.101.3.2.1.3.17,
Require Explicit Policy at depth 0
** Could not get issuer certificate: Issuer certificate for /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-41 not found
** This certificate cannot be used for pkinit
Certificate: /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=USA/CN=THOMPSON.ROBERT.EARON.1165310809
NT Principal Name: 1165310809121004@mil
Not valid before: Thu Jun 06 07 00:00:00 2018 UTC
Not valid after: Mon May 05 20 23:59:59 2019 UTC
This certificate is valid
Policies specified: .2.16.840.1.101.2.1.11.42, .2.16.840.1.101.3.2.1.3.13,
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD ID CA-41
Not valid before: Mon Nov 11 09 16:13:56 2015 UTC
Not valid after: Tue Nov 11 09 16:13:56 2021 UTC
This certificate is valid
This certificate is trusted by the domain
Policies specified: .2.16.840.1.101.2.1.11.36, .2.16.840.1.101.2.1.11.39, .2.16.840.1.101.2.1.11.42, .2.16.840.1.101.3.2.1.3.13, .2.16.840.1.101.3.2.1.3.17,
Require Explicit Policy at depth 0
** Could not get issuer certificate: Issuer certificate for /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD ID CA-41 not found
This certificate can be used for pkinit, testing:
** Data signing failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Signature verification failed: Unknown PKCS#1 padding type 0xc3
Public key encryption succeeded
** Private key decryption failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Private key encryption failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Public key decryption failed: Unknown PKCS#1 padding type 0xc3

 

 

 

Highlighted
Centrify Contributor I
Posts: 13
Registered: ‎10-06-2015
#2 of 2 371

Re: Unable to login with CAC on MAC HIGH SIERRA 10.13.6

Hello and welcome to the community!

 

Sorry to hear you are running into issues with your Smart Card. As I understand it, it looks like this is a new setup. If not, let me know what has changed (was the OS upgraded?, ...).

 

I would suggest following this KB article. Step #2 has a screenshot showing you what it should look like in the keychain:

KB-1617: Troubleshooting smart card issues on Mac systems: https://centrify.force.com/support/Article/KB-1617-Troubleshooting-smart-card-issues-on-Mac-systems

 

I hope this helps,

 

 

Andrea