[SmartcardServices-Users] Question from a New Person Testing Smart Cards

Miller, Timothy J. tmiller at mitre.org
Wed Feb 23 18:20:21 PST 2011 

On Feb 23, 2011, at 1:12 PM, Will Coleman wrote:

> I was able to dive a little deeper on the problem last night.  The two ids are actually one id - the second id was the actividentity id for the middleware I installed and this id worked on Windows– yea! - which more than likely means it will work on my Mac (when the setup is correct).  Now, I'm not sure why this is happening (I would imagine that the middleware picked up the credential and presented the right EDI/PI number and not the longer PIV number.  I hope I'm getting this correct.  Or it uses another cert (which is what I think you are saying).

EDIPI at mil comes from the DoD Email Signing cert.

EDIPI+OC+OI+POA at mil comes from the PIV Authentication cert.

If you examine both side by side it should be clear what's what.  FWIW, the OC+OI+POA are fixed for a given subscriber affiliation; i.e., you can distinguish contractor from civilian from military along with service branch with these codes.

> When I uninstalled the driver, I was presented with just ONE ID and that was the longer number or the PIV cert – and NO actividentity card login PIN screen.  I am having a hard time understanding how to configure the AD to accept the longer ID (if that in fact is the correct EDI/PI number).  

If you've set the UPN correctly in AD U&C, then your problem is probably the NTAuthCA store.  You can check this store using the MMC console:

http://support.microsoft.com/kb/295663

> You said "but this behavior can be changed to present all certs, or only certs with digitalSignature keyUsage."  

You'd probably benefit from reading this:

http://msdn.microsoft.com/en-us/library/bb905527.aspx

> Is there a way to "deactivate" the PIV cert?

Not at this time.  Currently CACs are issued with the PIV cert un-activated, but any user can activate the PIV cert though the UMP-PIP application hosted by DMDC.  In addition, anyone using PIV middleware (e.g., the PIV tokend on OS X) will *always* see the PIV cert.

> Got it, so the 2001361506 which is the sAMAccountName under the AD user leave that value alone and then change the userlogin to the longer ID which is 2001361506170084.  Why can I not query this number when using some tools that we've developed internally?  

You should be able to.  The AD attribute is described here:

http://msdn.microsoft.com/en-us/library/ms680857(v=vs.85).aspx

You will need to bind to AD to do the query, though.

> I should see this ID when I dump the card?  Does the keychain access tool show this number?  I was not able to find it, but more than likely I was looking in the wrong place.  Is there additional configuration necessary, I think I ask this in the next question.

It's in the cert itself.  OS X will display it as "NT Principal Name" under the Subject Alternative Name extensions of the cert.

> You said "You will *also* need to include the PIV certificate issuing CA in the NTAuthCA certificate store. "
> 
> Ok, so in my case the issuer of the cert was CA-23, which I was able to download the certs and install them successfully and properly in AD.  This was for email, network auth and sign-on – there were three certs, one of which was DoD JITC Root CA 2.  Please note, these are all JITC certificates.  Is there a separate PIV cert that needs to be added to NTAuthCA?

> 
> But to bottom-line problem.  When trying to authenticate using a simple 72k Gem card on a windows seven attached to a DC/CA/AD controller that is setup to accept that card (it has all the working JITC certs and root) - the card works if 1) the actividentity software is installed and 2) you switch to the actividentity sign-on "picture" on login in Windows 7.  If I uninstall the drivers I am only presented the 1 identity which is the "PIV" cert.  

What's happening here is you actually have two smartcard middlewares installed.  One is ActivClient, which is a complete CAPI CSP.  The other is a PIV smartcard "minidriver" MS released under the Base SmartCard CSP framework.  See here:

http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/sc_minidriver_specs_V5.doc

Win7 will fetch this minidriver from WSUS when it detects a PIV smartcard.  Unfortunately this driver isn't completely appropriate for CACs.  It'll work, but there are differences between it and ActivClient.

-- Tim

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1533 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20110223/f406f133/attachment-0001.bin>

More information about the SmartcardServices-Users mailing list