Centrify Identity ServiceQuestion:
What troubleshooting steps can be performed if smart card logins are not working on a Mac?Answer:
- The very first thing to do is to ensure that the Mac is able to recognise the smart card:
- Open Keychain Access and insert the smart card into the reader
- The card should appear in the window as another Keychain with its certificates loaded.
- If the smart card does NOT appear in the Keychain, then make sure the firmware of the smart card reader itself has been updated to the latest version. See the following link for more information:
- Make sure that no other conflicting drivers have been installed from the system, see the following links to check for other drivers:
- Once the card is visible in Keychain Access, make sure the certificate trust chains for each cert are valid all the way up the chains:
- If there is no PIN prompt appearing when the smart card is inserted, see the following KB:
- Make sure there are no leftover objects from previous smart card insertions by clearing out the smart card token cache. Login as Local Admin, open the Terminal and run:
- sudo rm -rf /var/db/TokenCache/tokens/*
- OCSP in OS X has been known to cause unexpected behaviour in some environments. Try disabling it by running:
- sudo sctool -r -t ocsp:none -t crl:best -p crl
- If logins are still failing with OCSP disabled, try switching off the CRL as well:
- sudo sctool -r -t ocsp:none -t crl:none
- It has been noticed that the OS X login window display mode can produce different behaviours with smart card logins (this is especially evident between different versions of OS X 10.7.x).
- Go to System Preferences > Users & Groups > Login Options > "Display login window as:"
- Try both options to see if the PIN will prompt with either of those settings.
- List of users
- Name and password
- (Note that this is an OS X quirk which seems to have been rectified in version 10.8)
- Insert the card and run the following Terminal command:
- sctool -D
- This command lists out all the certificates present on the smart card and how their attributes match up against Active Directory:
- Ignore any certificate that says "This certificate cannot be used for pkinit", as these are not applicable for system logins.
- Make sure that the user for the applicable certificate can be found in AD via their user principal name and that they have been authorised for login in the Zone.
- If the message "Cannot locate NT principal name in AD" is seen for a certficate which can be used for pkinit, then make sure the user has been configured correctly in ADUC.
- Check that the UPN and alternate UPN of the AD account has been configured correctly:
- If the UPN on the smart card is something other than "mil", then make sure the "adclient.altupns" parameter in /etc/centrifydc/centrifydc.conf has been configured accordingly.
- For example, if the UPN on the smart card is "email@example.com", then the parameter should be configured as:
- adclient.altupns: mysmartcard.local
- This parameter can also be pushed via the following GP:
- Computer Configuration / Centrify Settings / DirectControl Settings / "Add centrifydc.conf properties"
- The "User logon name" needs to match the NT Principal Name on the card:
- If the above steps have been verified and smart card logins are still failing - then it may be a compatibility issue between the smart card and OS X itself. Apple has been improving smart card support with each version of the OS - it is recommended up to update to the latest version whenever possible.
- Please see the following Security Notes from Apple detailing the smart card compatibility fixes as of OS X 10.9 Mavericks:
- http://support.apple.com/kb/HT6011 (Security - Smart Card Services)
- If the steps have been verified, OS X has been updated and the issue still cannot be resolved, please contact Centrify Support and provide the following information:
- The smart card type (PIV / CAC / CACNG / etc.) with make and model.
- A screenshot of the smart card and its certificates in Keychain Access.
- While logged in as Local Admin, run the commands:
- sctool -D > /tmp/sctool_D.log
- adquery user -A username_of_smartcard_user > /tmp/adquery.log
- For Centrify DirectControl 5.2.4 and below: sudo ls -l /System/Library/Security/tokend/ > /tmp/tokendfolder.log
- For Centrify DirectControl 5.3.0 and above: sudo ls -l /Library/Security/tokend/ > /tmp/tokendfolder.log
- sudo adinfo -t
- Send in the smart card information, the screenshot, and the following files:
For a summary of the available sctool commands, please see the following KB:
Any links to third-party software available on this website are provided “as is” without warranty of any kind, either expressed or implied and such software is to be used at your own risk.
For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help
or visit the Centrify Customer Portal at support.centrify.com