10.5.6 and DoD CAC reader email access

Discussion in 'macOS' started by sUGArDawg, Dec 17, 2008.

  1. sUGArDawg macrumors regular

    sUGArDawg

    Joined:
    Jul 23, 2008
    #1
    I have a SCR3310 smart card reader that worked fine w/ 10.5.5 to check my DoD webmail. But, like alotta stuff, it's not recognizing the card ever since 10.5.6.

    Uh, help?
     
  2. sUGArDawg thread starter macrumors regular

    sUGArDawg

    Joined:
    Jul 23, 2008
  3. nebmot macrumors newbie

    Joined:
    Sep 5, 2008
    Location:
    San Diego, CA
    #3
    You probably want to join the Federal Apple email list to get this resolved. There are probably not to many people on here that work with CAC cards.

    Be thankful though, mine has not worked since upgrading to 10.5.3.

    Send Fed-talk mailing list submissions to
    fed-talk@lists.apple.com
     
  4. nebmot macrumors newbie

    Joined:
    Sep 5, 2008
    Location:
    San Diego, CA
    #5
    the 1.2 patch has been included into 10.5.6 you don't need to load it.

    you can try to create an identity preference to see if that solves your problem.

    join the mailing list you are far from the only one having the problem.
     
  5. shipwright macrumors newbie

    Joined:
    Dec 22, 2008
    #6
    No joy from creating identify preference

    Used the guide to add the certificates, then create the identify prefs; still no luck. Anyone else with 10.5.6 have a solution to make the CAC work?

    Shipwright

     
  6. nebmot macrumors newbie

    Joined:
    Sep 5, 2008
    Location:
    San Diego, CA
    #7
    your not alone in having this problem...

    http://search.lists.apple.com/?q=cac+10.5.6&cmd=Search!


    unfortunately some of the work around work for some people but don't for others.

    what type of CAC card do you have? its on the back above where the black strip is.

    what type of card reader are you using?
     
  7. shipwright macrumors newbie

    Joined:
    Dec 22, 2008
    #8
    CAC Reader Info

    The back of the card reads GEMAL TO GCX4 72K DI

    The card reader is an ActivCard

    Appreciate any help.

    Joe (shipwright)

     
  8. Viper2003 macrumors newbie

    Joined:
    Jan 5, 2009
    #9
    10.5.6 Update

    My CAC reader stopped working after installing 10.5.6 as well. I had to delete the 1.2 patch from 10.5.5 and delete the old id preference and make a new one. I tried this a few times, the key is to unplug the CAC reader from your Mac and shutdown and restart with the reader unplugged. Now it works again!
     
  9. nebmot macrumors newbie

    Joined:
    Sep 5, 2008
    Location:
    San Diego, CA
    #10

    how did you unistall 10.5.6? how did you remove the 1.2 patch?

    did you unplug the cac reader remove everything, restart then plug in the reader?

    or did you recreate the ID preference, then shutdown, remove the cac reader then restart after osx was back and running you then plugged the reader back in and inserted your cac?

    i finally got my cac to sign an email today so there is progress!
     
  10. AllenPSU macrumors regular

    Joined:
    Feb 24, 2003
    Location:
    USA
    #11
    Root certificates and INTEL MACs

    First, I got this to work on all the INTEL Mac's but not the PPC's.

    Second, not sure if you installed the root certificates, but those are needed for this to work. When you are in keychain and you have your CAC Reader attached, make sure the CAC and certificates show up. This will prove that you have a good CAC reader and that it's talking to the OS. Next check that all your certificates show up as valid, if not you will need to install the root certificate. To do this, open the certificate and scroll down in the text. There is a METHOD 1 and a METHOD 2 to install the root certificates. It's as simple as clicking the link and then opening the downloaded file.

    Lastly, check that your identities do not have a red x on them, if that's the case, then you don't have the identities set up properly.
     
  11. iBunny macrumors 65816

    Joined:
    Apr 15, 2004
    #12
    I was also wondering if DoD CAC cards worked in OSX at all. Its good to know that it is supported. I just never figured it out I guess.

    I always used XP in a Virtualized environment to access all my work stuff from home.
     
  12. AllenPSU macrumors regular

    Joined:
    Feb 24, 2003
    Location:
    USA
    #13
    DoD CAC on a MAC

    It was definitely easier with 10.5.3 and got harder ever since. The trick of associating the CAC certificates URL's using identity preferences is not full proof, and for some reason doesn't work with the older PPC mac's. I am planning on buying a new laptop and with that I plan to retrograde my PPC to 10.5.3 so I can use CAC easily again.

    Really hoping that Apple will fix this in 10.5.7 but I don't see DoD CAC or even Smart Card as an item being addressed. I keep pinging them with complaints hoping they will address it for us in DoD.
     
  13. urga macrumors newbie

    Joined:
    Apr 23, 2009
    #14
    CAC for Mac 10.5.6

    I'm at my wits end: I have a MacBook Pro running 10.5.6. I have an SCR331 CAC Reader with firmware 5.25. I have followed the "CAC for Mac v1.2" instructions, manually entering identity preferences for the NMCI OWA website. Still no joy. I've reviewed many of Shawn Geddis' posts on the Apple Fed-Talk posts, but have not found them helpful--more a discussion for developers than troubleshooting user problems.

    I've seen "X509" referred to a number of times. I have no idea what this is, but it seems consistent that those running 10.5.6 don't have it. Is this possibly the problem?

    Any help much appreciated.
     
  14. TDeloney macrumors newbie

    Joined:
    Apr 29, 2009
    #15
    CAC Partial Success

    I have a MacBook Pro running 10.5.6 (and an older MacBook that also used an external drive to devolve to 10.4.11). I also ran WinXP in Parallels 4; I'm using SCR331 and SCR3310 CAC readers, and ActivClient 6.1 for Windows. I had mixed results with web access to various government sites, but no problem digitally signing and encrypting emails in Entourage 2004 and Outlook 2007. I could access (with some unexplained cert chain errors) the Air Force Portal, TriCare Online, and an internal Navy site under Tiger and WinXP with Safari, Firefox 3, and Internet Explorer 7 (WinXP only). I could not access AF Portal or TriCare in Safari under Leopard, or anything under Firefox in Leopard (can't point to CAC device driver.) I could authenticate to the Navy site, however. My Leopard keychain shows the certs loaded and properly authenticated. Under Tiger, there is some validation chain error, even though I've offloaded and reloaded the DoD roots and verified the appropriate versions of supporting certs. The attached file shows my current results.
     
  15. Tfled macrumors newbie

    Joined:
    Jul 15, 2009
    #16
    10.5.7 and CAC

    installed 10.5.7 and Safari 4.0. CAC reader (SCR 331) reads valid certificates, but NMCI http email does not accept certificate. tried items suggested in this thread, including deleting ID preference. How do you recreate ID preference?:(
     
  16. pkkrusty macrumors member

    Joined:
    Dec 8, 2002
    Location:
    Italy
    #17
    CAC woes

    I'm in the same boat as a lot of people...I have been trying to make Safari pull the CAC credentials using the identity preference, but no joy. My CAC is recognized, I can see and export the certificates, so I don't think it's a CAC/reader issue. I get the feeling it has something to do with the X509 anchors because even though I can unlock the keychain I can't add anything to it. (On a separate note, I spent 3 hours last night trying to figure out the default password for X509Anchors, which turns out to be "X509Anchors")

    I'm on 10.5.8, Safari 4. I have had it work in the past, but I think I was on 10.4.something. I've cleared the cookies, taken out and re-inserted the CAC, but nothing.

    Any suggestions?
     
  17. pkkrusty macrumors member

    Joined:
    Dec 8, 2002
    Location:
    Italy
    #18
    Right click on the certificate you want to use with the website and choose New Identity Preference.

    I've read that the certificate that NMCI wants is not the normal ID cert but rather the email signing cert...give that a try and see what you get.
     
  18. AllenPSU macrumors regular

    Joined:
    Feb 24, 2003
    Location:
    USA
    #19
    CAC for MAC

    FIRST!!! Apple knowingly created the problem with CAC on MAC (See HT 1679). Please go to APPLE FEEDBACK and tell them you want CAC to work automatically without using the work around with Identity Preferences. I've been working this issue through Enterprise Services for over two years and have basically been told that there are not enough complaints for them to do anything about this.

    Second, I've gotten CAC to work with NMCI and a few other sites with all versions of MAC OS X from 10.5.3 thru 10.6.2 by using the NMCI procedure of assigning an Identity Preference for their three URL's. On one occasion I had a corrupt Key Chain and hand to actually delete it and start over. In all other cases, the three Identity Preferences were all I needed. If you are using NMCI and want the procedure, send me your NMCI email address (privately) and I will send you their PDF procedure from my NMCI account to yours. It is a little long, but there are a lot of screen captures and a big section on updating CAC Readers (which it sounds like you don't need).

    I've noticed one predominant error with folks trying to get this to work... namely they copy the certificates and they work with the images in their Key Chain. This won't work as you need to associate it to the certificate on the CAC. The Certificate you need is the one that has CLO listed as one of the USES in the Certificate notes... typically this is the second certificate on your card. Lastly, if you are still using a PPC Mac, you may have some additional problems. On fewer occasions, people haven't loaded the Root Certificate. When you access Key Chain access, you shouldn't see any red X's with your CAC inserted. All certificates have the link to the Root Certificate in the notes. Note that if you get a new CAC, you may need a new Root Certificate.

    Let me know if you're still having problems after all this as I haven't found a Mac that I couldn't get to work with NMCI. Other sites may be more of an issue as I don't know all the URL's needed to make them work but let me know which you need and I will work on it.

    :apple: Primary - iMAC 24" 2.8GHz Extreme, OS 10.6.2, 4GB RAM, 750GB HD
     
  19. carnellc macrumors newbie

    Joined:
    Dec 19, 2009
    #20
    I'm a Navy Reservist and I haven't been able to access any Navy sites. I have a cac card reader that has been flashed but still no love. What is a good email Allen for you? I have a NMCI email but won't have access to it till Jan 9th. (my drill weekend)

    Carnell
     
  20. mgkibben macrumors newbie

    Joined:
    Jan 15, 2010
    #21
    Stymied

    I've made it through to OWA but cannot access nmci.east. All the certificates are loaded - I've added the new identities, even so far as to add *.nmci.navy.mil - but still no luck. All I can seem to generate is "The page cannot be displayed.

    I'm working with MAC OS X 10.5.8. I have an SCR 3310.
     
  21. AllenPSU macrumors regular

    Joined:
    Feb 24, 2003
    Location:
    USA
    #22
    Two recommendations.
    (1) Add all three identity preferences (must be from the CAC and not copies of the certificates in your keychain).
    - https://webmail.nmci.navy.mil
    - https://webmail.east.navy.mil
    - https://webmail.east.navy.mil/exchange
    (2) Consider reseting your keychain from Keychain Access (in preferences)

    Let me know if you still have problems.
     
  22. paddlefu macrumors newbie

    Joined:
    Jan 29, 2010
    #23
    New CAC on MAC

    I recently got a new CAC as my previous was about to expire. I'm using 10.6.2 and everything was working great with my old CAC utilizing the id pref workaround (could access webmail, Navy websites, etc). New CAC will recognize in keychain access (can see the CAC ID #) but it displays no certificates at all. I've tried two different readers now, both of which have been flashed and have version 5.22 on them, but the certificates don't show up at all. I can unlock it with my pin, but there's nothing for me to modify at that point. Has anyone else seen this problem with new CAC's and/or heard of a solution for it? Thanks
     
  23. AllenPSU macrumors regular

    Joined:
    Feb 24, 2003
    Location:
    USA
    #24
    You need to associate our new certificates to the URL's in Key Chain Access. You may also need a new root certificate as your new CAC may have been created through a different site.
     
  24. paddlefu macrumors newbie

    Joined:
    Jan 29, 2010
    #25
    Right now I have no certificates to which I can associate a URL. When I access my CAC in keychain access, there is simply nothing under the CAC - the reader recognizes the CAC, but sees no certificates of any kind.

    So I'm guessing the new root certificate is probably the solution. My new CAC has the CA-24 on it, so would I need to delete the current root CA's (DOD Root CA 2 and DoD Class 3 Root CA) and get them from a website or something or am I way off? i.e. if my reader isn't seeing any certificates, is my problem far bigger? Thanks again for the help
     

Share This Page