- #ACTIVE CARD READER FOR MAC MAC OS X#
- #ACTIVE CARD READER FOR MAC DRIVERS#
- #ACTIVE CARD READER FOR MAC UPDATE#
- #ACTIVE CARD READER FOR MAC DRIVER#
For example, if the UPN on the smart card is the parameter should be configured as adclient.altupns: mysmartcard.local. If the UPN on the smart card is something other than mil, make sure that the adclient.altupns parameter in /etc/ centrifydc/ nf has been configured accordingly. Make sure that the UPN and alternate UPN of the Active Directory account have been configured correctly in Active Directory Users and Computers. If the message Cannot locate NT principal name in AD is displayed for a certificate that can be used for pkinit, make sure the user has been configured correctly in Active Directory Users and Computers. Make sure that the user for the applicable certificate can be found in Active Directory through the user’s principal name, and that the user has been authorized for logging in to the Zone. Ignore any certificate that displays This certificate cannot be used for pkinit, as such certificates are not applicable for system logins. This command lists all the certificates present on the smart card and how their attributes match against Active Directory Insert the smart card and execute the following command in a terminal window: sctool -D Try each of the following options to see if either allows the PIN prompt to display: To check for this issue, go to System Preferences > Users & Groups > Login Options > Display login window as.
#ACTIVE CARD READER FOR MAC MAC OS X#
The Mac login window display mode can produce different behaviors with smart card logins, especially between different versions of Mac OS X 10.7.x.
#ACTIVE CARD READER FOR MAC UPDATE#
Update to a valid CRL and set CRL checking back to Best Attempt. If the PIN prompt appears when CRL checking is Off, but not when set to Best Attempt, the CRL in the environment has expired. If logins still fail with OCSP disabled, set Certificate Revocation List (CRL) to Off as described in Smart card PIN prompt does not display. Disable OCSP by executing the following command in a terminal window: sudo sctool -r -t ocsp:none -t crl:best -p crl Online Certificate Status Protocol (OCSP) in Mac can cause unexpected behavior in some environments. To do so, log in as the local Administrator and execute the following command in a terminal window: sudo rm -rf /var/db/TokenCache/tokens/* When you are done, return to this procedure if you need to continue to diagnose smart card problems.Įnsure that there are no remaining objects from previous smart card insertions by clearing out the smart card token cache. If a PIN prompt does not appear when the smart card is inserted, go to Smart card PIN prompt does not display and perform the procedure described there. If the card is visible in Keychain Access, select Certificates under Category in the Keychain Access window and verify that the certificate trust chains for each certificate are valid all the way up the chains.
#ACTIVE CARD READER FOR MAC DRIVERS#
If non-default drivers are present, locate them in /System/Library/Security/tokend and use the sudo mv command to remove them.
#ACTIVE CARD READER FOR MAC DRIVER#
Log entries for smart card drivers appear similar to the following: reader SCM SCR inserted token "First.Last.100xxxx" subservice 12 using driver Check /var/log/system.log to see if non-default (and possibly incompatible) drivers were installed.
Other drivers, such as Gemalto, are incompatible with some cards. Server Suite ships with CAC, CACNG, PIV, and BELPIC drivers by default. If the smart card does not appear in the Keychain window:Įnsure that the firmware of the smart card reader has been updated to the latest version.Įnsure that no other conflicting smart card drivers have been installed.
The card should appear in the Keychain Access window as another Keychain with its certificates loaded. To do so, open Keychain Access and insert the smart card into the reader.
By performing the diagnostic procedures described in this section.By using the sctool utility as described in Using sctool.Two general methods for diagnosing smart card log in problems are provided:
0 kommentar(er)
