On May 16, 2014, at 12:08 PM, "Brown, Alexander [USA]" <Brown_Alexander2@bah.com> wrote:
Hello, I have smart card logon working with Mac OS X 10.9 to a Windows Active Directory domain by using cacloginconfig.plist and mapping based on the NT Principal Name. So this is working ok but when I took a look at the traffic between the Mac and the Windows domain I noticed there wasn’t any Kerberos traffic and PKINIT isn’t being used. Does anyone have PKINIT working with OS X 10.9 and if so can you share some steps on how that is configured? When I have my smart card in and run “kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise” I got the error “kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found”.
What happens if you leave off the --pk-enterprise option off? Would you mind sharing what the certificate looks like?
The smart card I am using for this is the DoD CAC.
Also one other question, does anyone know if any certificate revocation checking takes place on the Mac during smart card logon?
I'm not running 10.9 yet, but I suspect it depends on the system setting for revocation checking.
Alex Brown Associate Booz | Allen | Hamilton
brown_alexander2@bah.com
_______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
Personal email. hbhotz@oxy.edu