Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3018: Troubleshooting smart card issues on Mac systems

Centrify Identity Service, Mac Edition ,  

4 April,17 at 06:39 PM

Applies to: Centrify Identity Service



Question:

What troubleshooting steps can be performed if smart card logins are not working on a Mac?



Answer:
  1. The very first thing to do is to ensure that the Mac is able to recognise the smart card: 
  2. ​​Once the card is visible in Keychain Access, make sure the certificate trust chains for each cert are valid all the way up the chains:
  3. If there is no PIN prompt appearing when the smart card is inserted, see the following KB:
  4. Make sure there are no leftover objects from previous smart card insertions by clearing out the smart card token cache. Login as Local Admin, open the Terminal and run:
    • sudo rm -rf /var/db/TokenCache/tokens/* 
  5. OCSP in OS X has been known to cause unexpected behaviour in some environments. Try disabling it by running:
    • sudo sctool -r -t ocsp:none -t crl:best -p crl
  6. If logins are still failing with OCSP disabled, try switching off the CRL as well:
  7. It has been noticed that the OS X login window display mode can produce different behaviours with smart card logins (this is especially evident between different versions of OS X 10.7.x).
    1. Go to System Preferences > Users & Groups > Login Options > "Display login window as:"
    2. Try both options to see if the PIN will prompt with either of those settings.
      • List of users
      • Name and password
    • (Note that this is an OS X quirk which seems to have been rectified in version 10.8)
  8. Insert the card and run the following Terminal command:
    • sctool -D
      • This command lists out all the certificates present on the smart card and how their attributes match up against Active Directory:
        • Ignore any certificate that says "This certificate cannot be used for pkinit", as these are not applicable for system logins.
      • Make sure that the user for the applicable certificate can be found in AD via their user principal name and that they have been authorised for login in the Zone.
        • If the message "Cannot locate NT principal name in AD" is seen for a certficate which can be used for pkinit, then make sure the user has been configured correctly in ADUC.
      • Check that the UPN and alternate UPN of the AD account has been configured correctly:
      • If the UPN on the smart card is something other than "mil", then make sure the "adclient.altupns" parameter in /etc/centrifydc/centrifydc.conf has been configured accordingly.
        • For example, if the UPN on the smart card is "111111@mysmartcard.local", then the parameter should be configured as:
          • adclient.altupns: mysmartcard.local
        • This parameter can also be pushed via the following GP:
          • Computer Configuration / Centrify Settings / DirectControl Settings / "Add centrifydc.conf properties"
      • The "User logon name" needs to match the NT Principal Name on the card:
        • User-added image
  9. If the above steps have been verified and smart card logins are still failing - then it may be a compatibility issue between the smart card and OS X itself. Apple has been improving smart card support with each version of the OS - it is recommended up to update to the latest version whenever possible.
    • Please see the following Security Notes from Apple detailing the smart card compatibility fixes as of OS X 10.9 Mavericks:
    • http://support.apple.com/kb/HT6011 (Security - Smart Card Services)
 
  • If the steps have been verified, OS X has been updated and the issue still cannot be resolved, please contact Centrify Support and provide the following information:
    1. The smart card type (PIV / CAC / CACNG / etc.) with make and model.
    2. A screenshot of the smart card and its certificates in Keychain Access.
    3. While logged in as Local Admin, run the commands:
      • sctool -D > /tmp/sctool_D.log
      • adquery user -A username_of_smartcard_user > /tmp/adquery.log
      • For Centrify DirectControl 5.2.4 and below: sudo ls -l /System/Library/Security/tokend/ > /tmp/tokendfolder.log 
      • For Centrify DirectControl 5.3.0 and above:  sudo ls -l /Library/Security/tokend/ > /tmp/tokendfolder.log
      • sudo adinfo -t
    4. Send in the smart card information, the screenshot, and the following files:
      • /tmp/sctool_D.log
      • /tmp/adquery.log
      • /tmp/tokendfolder.log 
      • /var/centrify/tmp/adinfo_support.tar.gz

For a summary of the available sctool commands, please see the following KB:

Note: Any links to third-party software available on this website are provided “as is” without warranty of any kind, either expressed or implied and such software is to be used at your own risk.



For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Centrify Customer Portal at support.centrify.com.​

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.