[SmartcardServices-Users] Mountain Lion Login window

Jorgensen, Will A Will at pnnl.gov
Wed Jul 24 23:26:03 PDT 2013

Okay, so I finally got a chance to make some progress on this.  Once I got the Entrust Managed Services SSP CA certs trusted then I could get the Public Key Hash method to work.  However, I ran into trouble trying to get the attribute lookup to work.  The contents of the cacloginconfig.plist is provided  at the end of my reply.  Is  the correct file name cacloginconfig.plist or caclogingconfig.plist, I saw both names referenced on the net.  I tried both, neither worked.

My computer is bound to AD and can do lookups and get kerberos tickets  in general.  My user object in AD has the userPrincipalName attribute set and it matches the value in the NT Principal Name field in my certificate.  I didn't change the /etc/authorization file from what was working with the Public Key Hash method.

What else should I be looking at?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<string>NT Principal Name</string>

Will Jorgensen
Desktop and Mobile Services
Pacific Northwest National Laboratory

From: Shawn Geddis <geddis at apple.com<mailto:geddis at apple.com>>
Date: Tuesday, May 28, 2013 10:22 PM
To: Will <will at pnnl.gov<mailto:will at pnnl.gov>>
Cc: "SmartcardServices-Users at lists.macosforge.org<mailto:SmartcardServices-Users at lists.macosforge.org>" <SmartcardServices-Users at lists.macosforge.org<mailto:SmartcardServices-Users at lists.macosforge.org>>
Subject: Re: [SmartcardServices-Users] Mountain Lion Login window

On May 29, 2013, at 1:44 AM, "Jorgensen, Will A" <Will at pnnl.gov<mailto:Will at pnnl.gov>> wrote:
When I'm already logged in, the PIV card shows up in the keychain and the certificates show up as valid (I had to install some root certificates to get that).

Question again on why you would need to install roots for certificates on a PIV card.  Is this a self-generated PIV Card with internal / test identities and not US Federal Government issued Identities ?  I ask because the System Root Keychain should already have the necessary CA Roots Certificates for proper trust validation and revocation checking for US Federal Government issued Identities.  If not, please let me know what was not there, so that I can correct that.

Answer – They are DOE certificates issued by an Entrust Managed Services SSP CA which I didn't see in the system root keychain.  Looking at it further, I'm not sure I actually solved it anyway since the certificates in the PIV card show up as being signed by an untrusted user.


Ahh, we may be at the heart of your problem.... If your PIV Certs show up as signed by an untrusted user that is the root cause of you not being able to log in with Attr Matching or PKINIT.  The PubKeyHash method does not do certificate status checking, but both Attr Matching and PKINT do verify that the certificate is trusted and valid prior to login.

You must resolve this first before being able move on.  Are the DOE issued certificates not resolved (Trust Path Validation) to the "Federal Common Policy CA" Root CA Certificate ?  Looking at the certificate I have for you at @pnnl.gov<http://pnnl.gov> it is signed using a "Department of Energy", "Pacific Northwest National Laboratory" Root CA Certificate.  You need to specifically mark that Root CA Cert as trusted on your system (since it is not in System Roots and trusted) and then any certificate signed by it will appear as valid if all else is correct with the certificate.

  *   Launch Keychain Access (KA)
  *   Select "Certificates" in the Category (lower left corner)
  *   Enter "Department of Energy" in the Search Field (upper right corner)
  *   Double-click the Certificate "Department of Energy" with Serial Number "998328652" to open it
  *   Click the 'disclosure' triangle in front of the word 'Trust' in the certificate's window
  *   Select Always Trust
  *   Provide your Admin Account PW and the Trust will be set to Always Trust that Root

Now go back to setting up Login.

The unfortunate point to note is that many of the DOE labs have Root CA Certs issued by an Entrust Managed Services SSP CA that resolves to the DOE Root CA and not the "Federal Common Policy CA" which Apple includes in the Trusted Root Store.
Let me see if we need to look into including the DOE Root CA Cert in the System Roots.  That would have solved your problem to begin with.  Federal PKI directs only trusting the "Federal Common Policy CA", but let me see what I can do.

- Shawn
Shawn Geddis              geddis at me.com<mailto:geddis at me.com>
Enterprise Security Consulting Engineer, Apple     geddis at apple.com<mailto:geddis at apple.com>

MacOSForge: Smart Card Services  Project Lead:
Web: http://smartcardservices.macosforge.org/
Lists: http://lists.macosforge.org/mailman/listinfo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20130725/60e6f9ea/attachment.html>

More information about the SmartcardServices-Users mailing list