Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2466: No PIN prompt when using Smart Card

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:11 AM

Applies to: All versions of Centrify DirectControl on Mac OS X.


Question:

When inserting a smart card at a Mac login screen, no PIN prompt is shown.

Smart Card support has been enabled via the Centrify Smart Card Assistant and the smart card certificates appear in Keychain Access and are all fully trusted.

What else can be done to troubleshoot this?


Answer:

It was discovered that from OS X 10.7 onwards, OS X no longer ships with the configuration file that holds the system-wide certificate revocation settings. 

The login window behaviour (when a smart card is inserted) is dependent on this file and so with the file missing, no PIN prompt will be shown. The Smart Card Assistant GUI will show all settings as "Off" when this file is missing, which may not be the actual state of the configuration.

To check if the file is present, open the Terminal and run the following command:

sudo defaults read /Library/Preferences/com.apple.security.revocation 

If there is no configuration file present, the following message will be shown: 

Domain com.apple.security.revocation.plist does not exist 


The file can be automatically generated by either manually applying a change via the Smart Card Assistant GUI, or via the following Terminal command:

sudo sctool -r -t ocsp:none -t crl:best -p crl

After a change is made, running the sudo defaults read... command again should now generate a result: 

sudo defaults read /Library/Preferences/com.apple.security.revocation 
CRLStyle = BestAttempt; 
CRLSufficientPerCert = 1; 
OCSPStyle = None; 
OCSPSufficientPerCert = 1; 
Revocation = CRL; 
}


Note:
  • If the PIN prompt still does not show, then try turning CRL checking to "Off" from the Smart Card Assistant GUI, or via Terminal and then test again:
    • sudo sctool -r -t ocsp:none -t crl:none -p crl
  • If the PIN shows when the CRL is "Off", but not when set to "Best Attempt", then it means that the CRL in the environment has expired. 
    • This differs to Windows behaviour where the smart card is still accepted even if the CRL has expired.
    • Updating the CRL should allow the smart card to get accepted on the Mac when the setting is back to "Best Attempt".
  • It is currently recommended to keep the OCSP setting to "Off" as any other setting can cause the PIN to not be shown again.

User-added image

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.