Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Looking for some help here guys - called Apple Tech Support, but they were not familiar with what I was trying to do, nor were they knowledgeable on a DOD CAC card.

Trying to access NMCI webmail - as I said in an earlier post - I have a working CAC reader, can go into my Keychain Access and see my CAC Card and the three certs on it. They are all red though and it says they are from an unverified source. When I try to go to NMCI OWA I get an error that says I need valid certs to access the site.

I think I am almost there - just need some help getting my browser to work on NMCI OWA.

Any suggestions / assistance would be appreciated.

r/
DL
 
I have found numerous instruction sheets from various sources and none have worked for me. Got real bold last night and jacked my Keychains all up - rebuilt my machine and am giving up until I can find someone who has actually done this and can provide step by step instructions. It seems that this post contains a lot of "do this" "try this" "I did this, but cant remember how" and blah blah blah...

Bottom line - if anyone here has made this work - post some instructions that are clear - that is what a number of folks (to include me) are looking for - I know I would appreciate it.

r/
DL
 
Trying to access NMCI webmail - as I said in an earlier post - I have a working CAC reader, can go into my Keychain Access and see my CAC Card and the three certs on it. They are all red though and it says they are from an unverified source.

If your certs are red then there is a problem. Nothing gonna work from there. Period. Does the CAC work in another verifed working machine??? I'd say NO. Sounds to me like you locked out your pin on your card at some point...ever try to use the pin and put it in wrong 3 times?

It seems that this post contains a lot of "do this" "try this" "I did this, but cant remember how" and blah blah blah...

Bottom line - if anyone here has made this work - post some instructions that are clear - that is what a number of folks (to include me) are looking for - I know I would appreciate it.

Blah blah blah... thats called people discussing what worked for them...
0. Make sure computer is booted you are logged in.
1. Stick the card reader in the USB slot on computer.
2. Put the CAC in the reader. Chip/picture side up.
3. Download DoD certificates to desktop. Open them and they are imported to keychains magically by double clicking and telling keychains to import.
4. Go to .mil site with SAFARI that requires CAC, popup window enter PIN.

That is it.

You know you want help, but dont even mention your type of smartcard reader, OS version you are running or anything.
 
JollyRogers - you are right - just a post out of frustration really - not an indictment on anyone in the forum. Here is what I have:

- MacBook Air - OS version 10.5.4
- Litronic 215 CAC Reader
- When I plug my reader into my MAC it works - how do I know this? I go into Keychain Access and in the Keychains portion (top left) I see my CAC card. I can click "unlock" - get prompted for my password and after entering my CAC password, my certs are visible. Additional verification it works - the Marine Corps has its award page, and a few other pages CAC enabled - when I navigate to the awards page, for example, I am prompted to select the correct cert on my CAC - when I do, it logs me into the site.
- When I attempt to access NMCI mail I immediately get "The page requires a client certificate for your session to begin in Outlook Web Access, see Technical Information listed below."
- I guess the part I am having issues with is importing the DoD root certs to my machine. The Army has a good information sheet at the following url:
http://www.army.mil/AKO/email/mac.html
My issue with this set of instructions is that I do not have the "X509Certificates" keychain listed under /System/Library/Keychains - I do have the "X509Anchors" keychain listed, however.

That is about as detailed as I can be unless you may need further information to possibly assist me in resolving this issue. This is my first Apple computer to own since the early 80's when my family had an Apple II Plus and I love this MacBook Air - it does everything I need right now with the exception of checking my NMCI webmail. Any assistance you could provide would be greatly appreciated.

r/
DL
 
JollyRogers - you are right - just a post out of frustration really - not an indictment on anyone in the forum. Here is what I have:

- MacBook Air - OS version 10.5.4
- Litronic 215 CAC Reader
- When I plug my reader into my MAC it works - how do I know this? I go into Keychain Access and in the Keychains portion (top left) I see my CAC card. I can click "unlock" - get prompted for my password and after entering my CAC password, my certs are visible. Additional verification it works - the Marine Corps has its award page, and a few other pages CAC enabled - when I navigate to the awards page, for example, I am prompted to select the correct cert on my CAC - when I do, it logs me into the site.
- When I attempt to access NMCI mail I immediately get "The page requires a client certificate for your session to begin in Outlook Web Access, see Technical Information listed below."
- I guess the part I am having issues with is importing the DoD root certs to my machine. The Army has a good information sheet at the following url:
http://www.army.mil/AKO/email/mac.html
My issue with this set of instructions is that I do not have the "X509Certificates" keychain listed under /System/Library/Keychains - I do have the "X509Anchors" keychain listed, however.

That is about as detailed as I can be unless you may need further information to possibly assist me in resolving this issue. This is my first Apple computer to own since the early 80's when my family had an Apple II Plus and I love this MacBook Air - it does everything I need right now with the exception of checking my NMCI webmail. Any assistance you could provide would be greatly appreciated.

r/
DL

I posted the workaround that worked for me on an Apple forum today, and at least one guy followed up and confirmed it worked for him also. I cut and pasted the info below. Note that I did NOT try and find/install the old X509 certificates.

-----
Got Safari working with NMCI webmail (Exchange server) and my CAC. Thanks to Shawn at Apple Enterprise Div. for his post in the Fed-Talk List.

Okay, here's what worked for me. Assuming your card reader works (certs appear in Keychain) - you have to create a preference for -all three- of the certificates that appear in Keychain with your card inserted.

1. Open Keychain (Applications\Utililities\Keychain Access)

2. Locate and select the CAC keychain associated with your card in left column of the Keychain window. Mine appears as "CAC-xxxx-xxxx-xxxx-xxxx".

3. Observe that when you selected that keychain, all the certificates and keys on your card are listed on the right side of the Keychain window. There are 3 certificates, one each for ID, Email Signing, and Email Encryption.

4. Right-click on the first certificate and select "New Identity Preference" from the popup list.

5. In the resulting dialog box, enter the url of your server (i.e., "https://webmail.xxx.mil"), and click the Add button.

6. Repeat step 5 for the remaining two certificates on your CAC keychain, using the same URL.

After I created preferences for all three certs (I previously had only done it for the ID cert, without success), I was able to use Safari and access my mail server like before in Leopard 10.5.2.

This is what I did - hope it works for you.
 
I tried your instructions with no joy. I can certainly see my CAC and my certs - but they appear with a red x and "This certificate was signed by an unknown authority" - it seems that I am still missing something?

r/
DL
 
I tried your instructions with no joy. I can certainly see my CAC and my certs - but they appear with a red x and "This certificate was signed by an unknown authority" - it seems that I am still missing something?

r/
DL

Sorry, I'm not sure what to tell you - the cert from my card's keychain appear as checked and "This certificate is valid". The only other thing I did was import two "intermediate certificate authority" certs into my System keychain. Double click on one of your CAC's certs and in the resulting window, scroll down and you'll see hyperlinks where you can get these.

Other than that, I recommend taking a look at these two other forum threads, maybe I forgot something else:

http://lists.apple.com/archives/fed-talk/2008/Jun/msg00089.html

http://discussions.apple.com/thread.jspa?messageID=7500626
 
Well - I feel like I have made some progress - I imported the root certs and put them in my keychain under "system". Then I assigned preferences to the certs on my CAC and navigated to https://webmail.nmci.usmc.mil/exchange - I was prompted to select the appropriate cert from my CAC and was then directed to the OWA log on page. I entered my domain/username and password - at this point I got a dead page. The interesting thing about the page is that it is a double paned page - both with the same information:
The page requires a client certificate for your session to begin in Outlook Web Access, see Technical Information listed below.

The page you are trying to view requires the use of a client certificate.
Please try the following:

Click the Refresh button to try again, if you have installed your client certificate.
If you believe you should be able to view this directory or page, please contact the Web site administrator by using the e-mail address or phone number listed on the webmail.nmci.usmc.mil home page.
HTTP 403.7 - Forbidden: Client certificate required
Internet Information Services

Technical Information (for support personnel)

Background:
This error occurs when the resource you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the server recognizes.
USMC Additional Information:
Outlook Web Access requires that you have a CA-7 client certificate installed. Contact your local DISA representative for instructions in acquiring a certificate. When this is done the certificate must be installed and access to this site should then be attempted.
More information:
Microsoft Support

Any ideas anyone? I appreciate the continued assistance.

r/
DL
 
I'm In!!!

I finally got in - I thought (after all of the steps I did - thanks to gdieter) - that I needed to clear the cookies in my browser. I was clearing the history thinking that in safari that did both. I googled "clearing cookies in safari" and found out that I was NOT clearing the cookies by just clearing the history - which I suspected was the case, but wasnt sure as this is all new to me. Anyways - once I cleared the cookies, closed and re-opened safari, I was able to log in.

Thanks for all of the assistance folks - especially gdieter.

r/
DL
 
I finally got in - I thought (after all of the steps I did - thanks to gdieter) - that I needed to clear the cookies in my browser. I was clearing the history thinking that in safari that did both. I googled "clearing cookies in safari" and found out that I was NOT clearing the cookies by just clearing the history - which I suspected was the case, but wasnt sure as this is all new to me. Anyways - once I cleared the cookies, closed and re-opened safari, I was able to log in.

Thanks for all of the assistance folks - especially gdieter.

r/
DL

Cool. Congrats on your success - I thought Macs were supposed to be easy? Hah. I credit Shawn at Apple for all the info he consolidated in one of his posts.

Anyway, it's a workaround for now. I find that even though I can get into email, the server times me out very quickly and I have to Quit Safari and restart (I tried a Reset and it wasn't enough). This was not the case in 10.5.2. Note that when I use the CAC reader in a virtual XP machine under VMware Fusion, my connnectivity with the Exchange server stays on pretty much until I log out - could be an hour on inactivity. I never lost functionality of the CAC under VMware, but it was the principle of the matter - why should I have to run (virtual) Windows XP to get my email? Hope we get a real fix soon.
 
I am very excited that I found this thread and will try this as soon as I get home!

I want to thank all of the people who were gracious and considerate enough to share their knowledge. My smart card reader has been sitting unused for two years because I gave up on trying to get it to work!

With AKO now requiring a CAC to reset my password, this has once again become an important issue for me. I only wish that DOD would offer some solid and accessible support for us Mac users and for getting the security measures set up appropriately.

Thanks again!

Ted
 
Don't be dense. You never have to reboot for installing USB devices on Windows. They've always been p&p.

--Erwin
Having your computer go into a seizure while "discovering a new device" is hardly what I call "plug & play." It's more like "plug it in, wait a little bit, hope it works" kind of thing. I've NEVER seen true "plug & play" on Windows that works anything like on my Mac. On my Mac things just pop up on the desktop and usually within seconds.
 
Having your computer go into a seizure while "discovering a new device" is hardly what I call "plug & play." It's more like "plug it in, wait a little bit, hope it works" kind of thing. I've NEVER seen true "plug & play" on Windows that works anything like on my Mac. On my Mac things just pop up on the desktop and usually within seconds.

If your computer goes into a seizure when installing new hardware, you blame the OS? Did it ever occur to you it might be the freaking hardware? :rolleyes:

That's the problem with PC's, you have lots of hardware that you can throw together in one machine. If you don't look at what you're buying (except the cheapest pricetag), you might indeed encounter conflicts. Buy quality components, read the hardware reviews, or don't install your own components and go for an Apple. It's that simple.

--Erwin
 
in hopes people still watch this thread....

so I followed most of the steps, I flashed my CAC card reader (activCard reader) to the new firmware and it shows up fine in the windows side, I can get into the appropriate .mil sites with the authentication and all but I can't seem to get the device to show up on the mac side. doesn't show anything under keychain, under system profiler it does show as a SCRx31 USB smart card reader just fine. any idea's?

help is much appreciated.
 
I found that the activcard reader works on an older release (I'm running the fully patched mac osx 10.5, the old one is 10.4.13 I think...) so did it just recently break under mac?
 
I am still using mine (activcard flashed as SCR331) for work on a daily basis. I have to associate the root url with my pki cert on my cac for it to ask for my pin though.

I have noticed that obtaining the DoD certificates are not "easy" to do now. I guess they are no longer posted for general download unless you have a working CAC or someone to give them to you. I can guess why though :rolleyes:

Maybe this works?
- the cert from my card's keychain appear as checked and "This certificate is valid". The only other thing I did was import two "intermediate certificate authority" certs into my System keychain. Double click on one of your CAC's certs and in the resulting window, scroll down and you'll see hyperlinks where you can get these.
 
does ur cac reader show automatically under keychain though? mine's not even showing up under keychain so I have no idea how to get to the certs otherwise. I tried on an older tiger install (another macbook floating around at work) and it showed up fine which made me think it was just an apple update that broke it. is there something I need to do to get it to show up in 10.5

and its a activcard flashed to the SRC or w/e the instructions said, same as you it sounds.
 
Yes, mine shows up automatically under 10.5.5. Which version of 10.5 are you running??? Sounds like same activcard usb card reader flashed to a SRCX31...

What happens when you run 'sudo pcsctool' from the terminal with the CAC reader inserted?
 
I can confirm that a USB Activcard CAC/smartcard reader will work as I just set one up 3 days ago on my MacBook at work for DoD use. If it'll work with the MB, it will work with a MP. BTW, i did need a windows box to update the firmware on the card reader, but it was very simple. The MB just recognized it and I started using it.

!!!!

Doh. I just started working for the Army (civilian) and was required to get a Windows (read: Dell) laptop because they don't support Macs. I had assumed it was due to reading the CAC card. So all the required security software/CAC reader stuff is available for a Mac? If you could point me to this stuff, I'll bookmark it for when this computer bites the dust.

Out of curiosity, are you straight DoD or military?

*EDIT* Well, I am an engineer so maybe you can give me a pass for not reading the rest of the thread which responds to my question! LOL Nice to see a bunch of DoD/Army civies using Macs :)
 
4 options show up, commonaccesscard.bundle, etc

still not showing up under keychain though

gunna try flashing it to the newer firmware (.25)
 
!!!!

Out of curiosity, are you straight DoD or military?

*EDIT* Well, I am an engineer so maybe you can give me a pass for not reading the rest of the thread which responds to my question! LOL Nice to see a bunch of DoD/Army civies using Macs :)

I am retired Navy (E-9) and now am a DoD contracter. Son is Army, does that count :D
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.