macOS 10.13.4 broke Centrify Express for Smart Card
04-10-2018 02:56 PM
We upgraded systems from macOS 10.13.3 to 10.13.4, and now are having issues with two applications accessing our smartcard. Everything was working fine under 10.13.3 with Express for Smart Card 5.4.2.
Following the upgrade one of the applications (a Kerberized ssh client) sometimes sees the smartcard and works after a reboot. But, if the smartcard is removed and reinserted, the application then cannot see it. The second application (current Cisco Anyconnect VPN client) never appears to recognize the card. I tried completely uninstalling (following the directions in the forum) Express for Smart Card, and then reinstalling it, but we are still having the issue.
On a side note, applications like Safari, which use Apple's built-in smartcard support, are working fine with the smartcard. Any help is appreciated.
Solved! Go to Solution.
04-11-2018 05:51 AM
I forgot to say the smartcard does appear in Keychain Access, but it cannot be unlocked. Clicking the lock prompts for the PIN, but entering it does not unlock the smartcard keychain.
04-11-2018 06:02 AM
Ok, I just found a partial solution. I disabled the Apple smartcard support with
sudo defaults write /Library/Preferences/com.apple.security.smartcard DisabledTokens -array com.apple.CryptoTokenKit.pivtoken
and the applications now see the smartcard, and I was able to unlock it in Keychain Access. Unfortunately, that disables smartcard login on the Mac, which is something we do use.
04-12-2018 01:35 AM
Welcome to Centrify Community!
Could you help to provide us the diagnostic log from Centrify Smart Card Assistant:
1. Open up Smart Card Assistant
2. Go to Diagnostics
3. Click "Run" and it will require to input the PIN
4. Once finished running, please click "Save to Desktop" to save the diagnostic
Please upload the file or paste the diagnostics to this post. Thanks!
04-13-2018 07:49 AM
Unfortunately the diagnostic doesn't appear to run completely. When I click Run, the smartcard reader flashes once or twice and this is the only output I get:
Smart card: CAC-1353-5761-6353-9053-1753
A little activity wheel graphic shows up for a few seconds at the bottom of the window but only animates for a fraction of a second.
04-20-2018 12:29 PM
I'm having trouble using my smart card to log into a Citrix server. Nothing on my machine has changed since the last time I was able to get into that same Citrix server other than upgrading to macOS 10.13.4 on 10-April.
Is macOS 10.13.4 breaking Centrify Express a confirmed issue?
04-23-2018 11:51 AM
I confirmed this afternoon that my Citrix issues are definitely related to 10.13.4 being angry at Centrify Express for some reason.
In short, my Citrix sessions freeze at login until I remove and reinsert the smart card (the long version is posted in Citrix's Forums).
I'm certain it's caused by the macOS 10.13.4 upgrade as last month the smart card's keychain entry used to be called "<lastname>.<firstname>.<id_number>" but now it just says "CACNG-<guid>".
@IChan Is this a known issue?
04-23-2018 06:27 PM
Welcome to Centrify Community!
So far, we have not receive many other customers that is having the same issue.
However, I will try to reproduce the issue on my 10.13.4 and see if that's the case.
If needed, we will have Engineering team involved and investigate. I will keep you posted with any update asap. Thank you!
05-02-2018 08:52 PM
Latest update on the smartcard issue, as our Engineering team are able to reproduce the issue on 10.13.4.
We are currently investigating the issue and will make sure to provide you an update on this ASAP.
Sorry about the inconvenience.
05-08-2018 03:10 AM
As our Engineer has investigate the issue, we have found running the following command in terminal seems to be able to resolve the issue:
sudo mkdir /Library/Security/tokend/tmp sudo mv /Library/Security/tokend/CAC.tokend /Library/Security/tokend/tmp
We believe 10.13.4 does something weird with either the scoring of the cards or the reading of the cards because sometimes it would work correctly (read as CACNG or PIV) but usually it would read incorrectly (as CAC)
Therefore, please give the command above a try and see if it's able to resolve the issue afterward?
Hope it helps. Thank you!