Applies to: All versions of Centrify DirectControl on Mac OS X.
Question:When inserting a smart card at a Mac login screen, no PIN prompt is shown.
Smart Card support has been enabled via the Centrify Smart Card Assistant and the smart card certificates appear in Keychain Access and are all fully trusted.
What else can be done to troubleshoot this?
Answer:It was discovered that from OS X 10.7 onwards, OS X no longer ships with the configuration file that holds the system-wide certificate revocation settings.
The login window behaviour (when a smart card is inserted) is dependent on this file and so with the file missing, no PIN prompt will be shown. The Smart Card Assistant GUI will show all settings as "Off" when this file is missing, which may not be the actual state of the configuration.
To check if the file is present, open the Terminal and run the following command:
sudo defaults read /Library/Preferences/com.apple.security.revocation
If there is no configuration file present, the following message will be shown:
Domain com.apple.security.revocation.plist does not exist
The file can be automatically generated by either manually applying a change via the Smart Card Assistant GUI, or via the following Terminal command:
sudo sctool -r -t ocsp:none -t crl:best -p crl
After a change is made, running the
sudo defaults read... command again should now generate a result:
sudo defaults read /Library/Preferences/com.apple.security.revocation
{
CRLStyle = BestAttempt;
CRLSufficientPerCert = 1;
OCSPStyle = None;
OCSPSufficientPerCert = 1;
Revocation = CRL;
}
Note:
- If the PIN prompt still does not show, then try turning CRL checking to "Off" from the Smart Card Assistant GUI, or via Terminal and then test again:
- sudo sctool -r -t ocsp:none -t crl:none -p crl
- If the PIN shows when the CRL is "Off", but not when set to "Best Attempt", then it means that the CRL in the environment has expired.
- This differs to Windows behaviour where the smart card is still accepted even if the CRL has expired.
- Updating the CRL should allow the smart card to get accepted on the Mac when the setting is back to "Best Attempt".
- It is currently recommended to keep the OCSP setting to "Off" as any other setting can cause the PIN to not be shown again.
Note : Smartcard login for Mac OS 10.15 and newer Mac OS versions is not supported by Centrify