Hi! With our tokend compiled for x86_64 on 10.6, we are unabled to use it for authentication with loginwindow. The loginwindow recognize the tokend since it shows the right user and prompt us to enter then PIN code. However the loginwidow always shakes after entering it. Here is the sc_auth output used for linking the user to the certificate on the smartcard: $sc_auth hash 3A941BBD2D9CD73F6D83A5808B8250E318740EEA Test User's Axinoe CA SMIME ID CB0044788246DA3F09763A0A298325334081274F com.apple.systemdefault 988A5041EA0A9E8C62BE2EA20DB49324D3A8EB56 com.apple.kerberos.kdc CB0044788246DA3F09763A0A298325334081274F com.apple.systemdefault 988A5041EA0A9E8C62BE2EA20DB49324D3A8EB56 com.apple.kerberos.kdc $sc_auth list -u test_user 3A941BBD2D9CD73F6D83A5808B8250E318740EEA Of course the smartcard have the private key for this certificate. I trace the security logs to see what happens, maybe the credentials send by the smartcard-sniffer to the authenticate mechanism are wrong. tokendb 0x100305010 authenticate calling validate preauth using state 1@0x10032aa00 notify 0x100223560 notification created domain 0x1 event 2 seq 4294967296 schedq 0x100227b40 (1259947209.000) scheduled before 0x100215118 notify 0x100223560 notification done domain 0x1 event 2 seq 4294967296 tokendb 0x100305010 updating PIN1 state response tokendb returning isLocked=0 agentclient got setResult at port 19971; result 0 AuthEvalMech evaluate(builtin:smartcard-sniffer,privileged) with result: 0. schedq event 0x100227b40 unscheduled schedq event 0x100227b40 delivered at 1259947209.000 notify Posted notification to clients. adhoc Callback was called 6 times. agentclient got setResult at port 21507; result 0 AuthEvalMech evaluate(loginwindow:login) with result: 0. agentclient got setResult at port 23059; result 0 AuthEvalMech evaluate(builtin:reset-password,privileged) with result: 0. agentclient got setResult at port 24323; result 0 AuthEvalMech evaluate(builtin:auto-login,privileged) with result: 0. tokendb 0x100305010 updating PIN1 state response tokendb returning isLocked=0 tokenacl 0x1002282e8 loading ACLs from tokend preauth using state 1@0x10032aa00 handleobj create 0x32f9c4 for 0x10032f960 tokenacl 0x10032fa08 loading ACLs from tokend agentclient got setResult at port 24835; result 1 AuthEvalMech evaluate(builtin:authenticate,privileged) with result: 1. SSauth Authorization 0x100328b60 returning copy of context (null). Maybe there is some checks added to verify the purpose of the certificate. Here is the content of the certificate used: Certificate: Data: Version: 3 (0x2) Serial Number: 5 (0x5) Signature Algorithm: sha1WithRSAEncryption Issuer: C=FR, ST=Rhone, L=Lyon, O=Axinoe, OU=Axinoe Certification, CN=Axinoe CA SMIME/emailAddress=ca@axinoe.com Validity Not Before: Oct 10 08:05:41 2008 GMT Not After : Oct 10 08:05:41 2033 GMT Subject: C=FR, ST=Rhone, L=Lyon, O=Axinoe, OU=Axinoe Certification, CN=Test User/emailAddress=test@axinoe.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c1:e2:a5:5a:8e:62:a0:27:03:3f:bf:18:e4:c4: de:89:a9:13:92:c5:e7:14:6c:de:e1:91:f0:1c:07: 4e:e6:36:2d:ad:31:84:ca:2d:69:b9:b9:2e:17:ea: c5:b3:26:d7:33:25:4e:a5:f7:41:7e:67:2b:b2:a5: cb:49:a2:67:a5:5b:d4:2e:c1:16:a7:7f:1a:0f:43: 3d:e8:c6:9c:00:07:4a:d2:4b:0d:6b:3a:e0:d2:db: 48:9e:e0:c1:84:f7:4f:f5:58:50:70:c6:23:db:2b: 2b:35:6e:d2:ec:e9:b9:71:55:0a:cc:ac:8e:76:44: 16:99:e8:a6:6b:dd:0a:a7:53:3d:b6:c3:67:01:1b: 76:9b:bf:f2:a8:a9:b7:83:6b:f7:83:c4:18:14:a1: be:8c:58:93:ef:b9:c2:52:b2:5d:b5:dc:d8:dd:a3: e0:ee:88:77:52:89:97:f7:78:0e:fb:d1:cd:a9:83: 32:1d:32:73:5f:13:86:92:74:17:57:fd:3b:f4:b0: 0c:93:a7:c7:93:c9:c9:74:21:fa:16:5e:5b:0e:ca: 63:05:eb:f6:a6:44:fc:e3:91:07:3a:4d:f6:91:b0: 57:83:2e:89:8e:bb:d4:5f:c6:18:e0:40:1c:bc:c3: 5e:5a:bb:0f:f7:d9:d7:c0:2f:5a:0d:7d:13:7f:39: 32:8f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE, pathlen:0 Netscape Cert Type: S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: E-mail Protection Netscape Comment: OpenSSL Generated SMIME Certificate X509v3 Subject Key Identifier: 3A:94:1B:BD:2D:9C:D7:3F:6D:83:A5:80:8B:82:50:E3:18:74:0E:EA X509v3 Authority Key Identifier: keyid:87:88:33:16:B1:E5:22:BC:B1:B1:9D:74:DA:69:1A:45:57:F2:D4:4C DirName:/C=FR/ST=Rhone/L=Lyon/O=Axinoe/OU=Axinoe Certification/emailAddress=ca@axinoe.com/CN=Axinoe CA Root serial:01 X509v3 Subject Alternative Name: email:test@axinoe.com Signature Algorithm: sha1WithRSAEncryption c3:3c:08:4e:8b:e5:37:8c:d5:b8:bd:d5:4b:36:51:c9:8b:ad: 0a:b8:56:62:0e:34:45:4c:ee:d4:33:a8:07:56:79:7b:67:0e: 0a:8f:4a:34:7a:63:d3:8e:8d:49:b1:97:f4:e1:47:d9:de:a7: f2:0d:d2:6b:63:20:49:79:7b:c6:db:a2:9c:5e:ee:25:85:d8: fe:4c:e6:27:ef:b8:8c:8a:e3:f4:07:d3:1e:fb:fb:09:20:5c: b8:3d:6f:56:c7:c6:42:10:42:ae:fe:f5:35:c7:8b:a4:08:73: ed:85:51:86:01:9a:18:72:aa:38:ba:00:05:fb:5f:9f:4f:d2: 0a:d8:01:d8:df:49:9b:15:4f:00:5e:07:df:15:98:b2:11:f5: 04:6c:ba:a7:cb:dd:ef:7f:3f:fd:45:58:1b:93:fb:20:84:c1: 07:df:62:38:42:50:89:7d:0a:c4:77:8e:af:38:82:0d:e8:b3: cc:ac:b4:d7:16:b6:0f:a4:23:dd:fb:5f:6a:16:a9:d7:16:b9: 3e:e5:ef:67:c3:8e:43:7e:b3:95:34:50:c0:3c:b2:ab:e6:5c: 5f:e1:db:13:55:15:1b:1c:72:f7:56:4a:8c:e8:d3:8f:00:62: 4a:18:7e:e8:63:08:4a:b0:02:4c:b6:60:55:ba:67:ca:41:3c: 2d:fe:28:6b -- Jean-Charles BERTIN Axinoe - Software Engineer Tel.: (+33) (0)1.80.82.59.23 Fax : (+33) (0)1.80.82.59.29 Skype: jcbertin Web: <http://www.axinoe.com/> Certificate Authority: <https://ca.axinoe.com/axinoe-root.crt>