OS X 10.9 Smart Card Logon But No PKINIT
Hello, I have smart card logon working with Mac OS X 10.9 to a Windows Active Directory domain by using cacloginconfig.plist and mapping based on the NT Principal Name. So this is working ok but when I took a look at the traffic between the Mac and the Windows domain I noticed there wasn't any Kerberos traffic and PKINIT isn't being used. Does anyone have PKINIT working with OS X 10.9 and if so can you share some steps on how that is configured? When I have my smart card in and run "kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise" I got the error "kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found". The smart card I am using for this is the DoD CAC. Also one other question, does anyone know if any certificate revocation checking takes place on the Mac during smart card logon? Alex Brown Associate Booz | Allen | Hamilton ________________________________ brown_alexander2@bah.com<mailto:brown_alexander2@bah.com>
On May 16, 2014, at 12:08 PM, "Brown, Alexander [USA]" <Brown_Alexander2@bah.com> wrote:
Hello, I have smart card logon working with Mac OS X 10.9 to a Windows Active Directory domain by using cacloginconfig.plist and mapping based on the NT Principal Name. So this is working ok but when I took a look at the traffic between the Mac and the Windows domain I noticed there wasn’t any Kerberos traffic and PKINIT isn’t being used. Does anyone have PKINIT working with OS X 10.9 and if so can you share some steps on how that is configured? When I have my smart card in and run “kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise” I got the error “kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found”.
What happens if you leave off the --pk-enterprise option off? Would you mind sharing what the certificate looks like?
The smart card I am using for this is the DoD CAC.
Also one other question, does anyone know if any certificate revocation checking takes place on the Mac during smart card logon?
I'm not running 10.9 yet, but I suspect it depends on the system setting for revocation checking.
Alex Brown Associate Booz | Allen | Hamilton
brown_alexander2@bah.com
_______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
Personal email. hbhotz@oxy.edu
Hi, Le 16 mai 2014 à 21:08, Brown, Alexander [USA] <Brown_Alexander2@bah.com> a écrit :
I have smart card logon working with Mac OS X 10.9 to a Windows Active Directory domain by using cacloginconfig.plist and mapping based on the NT Principal Name. So this is working ok but when I took a look at the traffic between the Mac and the Windows domain I noticed there wasn’t any Kerberos traffic and PKINIT isn’t being used. Does anyone have PKINIT working with OS X 10.9 and if so can you share some steps on how that is configured? When I have my smart card in and run “kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise” I got the error “kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found”. The smart card I am using for this is the DoD CAC.
I’ve got this problem too. I’ve found (via reverse engineering) that the Kerberos framework has some problems in the algo used to validate the certificate on the card. It seems to see it but don’t take it as valid. I’ve use my contact at Apple to forward the information to Shawn Geddis but I’ve never got any answer. It’s here since 10.9.0. Maybe I’m wrong in my debug work, and maybe we’ve both do the same mistake in the cacloginconfig.plist… If you need a quick workaround, go to third part middleware, they make PKINIT work. Best regards, Yoann
Yoann, Thank you for this information. If you hear anything back from Shawn on this please let us know. Alex From: Yoann Gini [mailto:yoann.gini@gmail.com] Sent: Friday, May 16, 2014 6:23 PM To: Brown, Alexander [USA] Cc: smartcardservices-users@lists.macosforge.org Subject: [External] Re: [SmartcardServices-Users] OS X 10.9 Smart Card Logon But No PKINIT Hi, Le 16 mai 2014 à 21:08, Brown, Alexander [USA] <Brown_Alexander2@bah.com<mailto:Brown_Alexander2@bah.com>> a écrit : I have smart card logon working with Mac OS X 10.9 to a Windows Active Directory domain by using cacloginconfig.plist and mapping based on the NT Principal Name. So this is working ok but when I took a look at the traffic between the Mac and the Windows domain I noticed there wasn't any Kerberos traffic and PKINIT isn't being used. Does anyone have PKINIT working with OS X 10.9 and if so can you share some steps on how that is configured? When I have my smart card in and run "kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise" I got the error "kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found". The smart card I am using for this is the DoD CAC. I've got this problem too. I've found (via reverse engineering) that the Kerberos framework has some problems in the algo used to validate the certificate on the card. It seems to see it but don't take it as valid. I've use my contact at Apple to forward the information to Shawn Geddis but I've never got any answer. It's here since 10.9.0. Maybe I'm wrong in my debug work, and maybe we've both do the same mistake in the cacloginconfig.plist... If you need a quick workaround, go to third part middleware, they make PKINIT work. Best regards, Yoann
On May 16, 2014, at 3:23 PM, Yoann Gini <yoann.gini@gmail.com> wrote:
I got the error “kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found”. The smart card I am using for this is the DoD CAC.
I’ve got this problem too. I’ve found (via reverse engineering) that the Kerberos framework has some problems in the algo used to validate the certificate on the card. It seems to see it but don’t take it as valid.
Alexander's cert ought to be OK since it's at least recognized, but I've seen a similar apparent mis-match in processing the KDC reply from a Heimdal KDC. I suspect the problem is a mis-match between Apple's PKI framework and Heimdal. Personal email. hbhotz@oxy.edu
Hi, Le 19 mai 2014 à 22:31, Henry B Hotz <hbhotz@oxy.edu> a écrit :
On May 16, 2014, at 3:23 PM, Yoann Gini <yoann.gini@gmail.com> wrote:
I got the error “kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found”. The smart card I am using for this is the DoD CAC.
I’ve got this problem too. I’ve found (via reverse engineering) that the Kerberos framework has some problems in the algo used to validate the certificate on the card. It seems to see it but don’t take it as valid.
Alexander's cert ought to be OK since it's at least recognized, but I've seen a similar apparent mis-match in processing the KDC reply from a Heimdal KDC. I suspect the problem is a mis-match between Apple's PKI framework and Heimdal.
Yes, this can also be an explanation for what I’ve seen. When I’ve said « it don’t take it as valid », I was talking about the whole checkup process. Certificate validity and authorized usage. Of course I’ve try different KU and EKU without any success.
Just for completeness we should mention the command "security verify-cert -p pkinitClient". I don't think it calls any Heimdal Kerberos code, but it should tell you something about what the Apple PKI code thinks. On May 20, 2014, at 12:11 AM, Yoann Gini <yoann.gini@gmail.com> wrote:
Le 19 mai 2014 à 22:31, Henry B Hotz <hbhotz@oxy.edu> a écrit :
On May 16, 2014, at 3:23 PM, Yoann Gini <yoann.gini@gmail.com> wrote:
I got the error “kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found”. The smart card I am using for this is the DoD CAC.
I’ve got this problem too. I’ve found (via reverse engineering) that the Kerberos framework has some problems in the algo used to validate the certificate on the card. It seems to see it but don’t take it as valid.
Alexander's cert ought to be OK since it's at least recognized, but I've seen a similar apparent mis-match in processing the KDC reply from a Heimdal KDC. I suspect the problem is a mis-match between Apple's PKI framework and Heimdal.
Yes, this can also be an explanation for what I’ve seen.
When I’ve said « it don’t take it as valid », I was talking about the whole checkup process. Certificate validity and authorized usage.
Of course I’ve try different KU and EKU without any success.
At least for Heimdal, I think KU of digitalSignature is all that's required. I wonder if it's worth trying Heimdal on a Linux system for comparison? (I suggest Debian with the OpenSC card drivers if someone wants to try.) If nothing else the error messages might be clearer, and you could write a better bug report for Apple. Personal email. hbhotz@oxy.edu
I exported the public certificate to a file and then ran "sudo security verify-cert -p pkinitClient -c <certificate-file>" (replacing <certificate-file> with the actual file name) and the message I received was "certificate verification successful". Alex -----Original Message----- From: Henry B Hotz [mailto:hbhotz@oxy.edu] Sent: Tuesday, May 20, 2014 5:02 PM To: Yoann Gini Cc: Brown, Alexander [USA]; smartcardservices-users@lists.macosforge.org Subject: [External] Re: [SmartcardServices-Users] OS X 10.9 Smart Card Logon But No PKINIT Just for completeness we should mention the command "security verify-cert -p pkinitClient". I don't think it calls any Heimdal Kerberos code, but it should tell you something about what the Apple PKI code thinks. On May 20, 2014, at 12:11 AM, Yoann Gini <yoann.gini@gmail.com> wrote:
Le 19 mai 2014 à 22:31, Henry B Hotz <hbhotz@oxy.edu> a écrit :
On May 16, 2014, at 3:23 PM, Yoann Gini <yoann.gini@gmail.com> wrote:
I got the error "kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found". The smart card I am using for this is the DoD CAC.
I've got this problem too. I've found (via reverse engineering) that the Kerberos framework has some problems in the algo used to validate the certificate on the card. It seems to see it but don't take it as valid.
Alexander's cert ought to be OK since it's at least recognized, but I've seen a similar apparent mis-match in processing the KDC reply from a Heimdal KDC. I suspect the problem is a mis-match between Apple's PKI framework and Heimdal.
Yes, this can also be an explanation for what I've seen.
When I've said « it don't take it as valid », I was talking about the whole checkup process. Certificate validity and authorized usage.
Of course I've try different KU and EKU without any success.
At least for Heimdal, I think KU of digitalSignature is all that's required. I wonder if it's worth trying Heimdal on a Linux system for comparison? (I suggest Debian with the OpenSC card drivers if someone wants to try.) If nothing else the error messages might be clearer, and you could write a better bug report for Apple. Personal email. hbhotz@oxy.edu
Hate to drag up stuff from the past, but I wonder if this was ever figured out? I'm looking at the same basic situation. I can do cacloginconfig based smart card login under 10.10.3, but I don't get a kerberos TGT for the user, and no options that I toss at kinit seem to enable it to do a pkinit. Here is what I have: Gemalto smart card, being correctly recognized and read by the system. I can see the "keychain", the certificate on board has the correct eku for smart card login, and it shows as trusted. Root certificates for AD are installed. Cacloginconfig.plist points to the right attributes. I can go to the login window, insert the card, put in my pin, and login, but no kerberos ticket is generated. If I run kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise I get the result: kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found Thinking that maybe this is a search path issue, and those trailing : after KEYCHAIN seems to indicate its some sort of path separator, I tried the following: Run security list-keychains. Copy "smart card keychain" name. run kinit -C KEYCHAIN:"smart card keychain name" -D KEYCHAIN: --windows --pk-enterprise Result: kinit: krb5_pk_enterprise_certs: PK-INIT cert didn't contain principal SAN Now, the certificate I'm trying to use DOES have a SAN, so I don't know if this is further confusing things, or helping and showing the next error in the chain. I think I've tried every possible combination of documented switches in kinit, but I can't seem to get any further. Does anyone have any suggestions? --DH On May 22, 2014, at 7:59 AM, "Brown, Alexander [USA]" <Brown_Alexander2@bah.com> wrote:
I exported the public certificate to a file and then ran "sudo security verify-cert -p pkinitClient -c <certificate-file>" (replacing <certificate-file> with the actual file name) and the message I received was "certificate verification successful".
Alex
-----Original Message----- From: Henry B Hotz [mailto:hbhotz@oxy.edu] Sent: Tuesday, May 20, 2014 5:02 PM To: Yoann Gini Cc: Brown, Alexander [USA]; smartcardservices-users@lists.macosforge.org Subject: [External] Re: [SmartcardServices-Users] OS X 10.9 Smart Card Logon But No PKINIT
Just for completeness we should mention the command "security verify-cert -p pkinitClient". I don't think it calls any Heimdal Kerberos code, but it should tell you something about what the Apple PKI code thinks.
On May 20, 2014, at 12:11 AM, Yoann Gini <yoann.gini@gmail.com> wrote:
Le 19 mai 2014 à 22:31, Henry B Hotz <hbhotz@oxy.edu> a écrit :
On May 16, 2014, at 3:23 PM, Yoann Gini <yoann.gini@gmail.com> wrote:
I got the error "kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found". The smart card I am using for this is the DoD CAC.
I've got this problem too. I've found (via reverse engineering) that the Kerberos framework has some problems in the algo used to validate the certificate on the card. It seems to see it but don't take it as valid.
Alexander's cert ought to be OK since it's at least recognized, but I've seen a similar apparent mis-match in processing the KDC reply from a Heimdal KDC. I suspect the problem is a mis-match between Apple's PKI framework and Heimdal.
Yes, this can also be an explanation for what I've seen.
When I've said « it don't take it as valid », I was talking about the whole checkup process. Certificate validity and authorized usage.
Of course I've try different KU and EKU without any success.
At least for Heimdal, I think KU of digitalSignature is all that's required. I wonder if it's worth trying Heimdal on a Linux system for comparison? (I suggest Debian with the OpenSC card drivers if someone wants to try.) If nothing else the error messages might be clearer, and you could write a better bug report for Apple.
Personal email. hbhotz@oxy.edu
_______________________________________________ SmartcardServices-Users mailing list SmartcardServices-Users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
participants (4)
-
Brown, Alexander [USA]
-
Henry B Hotz
-
Hoit, Daniel S.
-
Yoann Gini