[SmartcardServices-Users] OS X 10.9 Smart Card Logon But No PKINIT
Henry B Hotz
hbhotz at oxy.edu
Fri May 16 14:54:31 PDT 2014
On May 16, 2014, at 12:08 PM, "Brown, Alexander [USA]" <Brown_Alexander2 at bah.com> wrote:
> I have smart card logon working with Mac OS X 10.9 to a Windows Active Directory domain by using cacloginconfig.plist and mapping based on the NT Principal Name. So this is working ok but when I took a look at the traffic between the Mac and the Windows domain I noticed there wasn’t any Kerberos traffic and PKINIT isn’t being used. Does anyone have PKINIT working with OS X 10.9 and if so can you share some steps on how that is configured? When I have my smart card in and run “kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise” I got the error “kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found”.
What happens if you leave off the --pk-enterprise option off? Would you mind sharing what the certificate looks like?
> The smart card I am using for this is the DoD CAC.
> Also one other question, does anyone know if any certificate revocation checking takes place on the Mac during smart card logon?
I'm not running 10.9 yet, but I suspect it depends on the system setting for revocation checking.
> Alex Brown
> Booz | Allen | Hamilton
> brown_alexander2 at bah.com
> SmartcardServices-Users mailing list
> SmartcardServices-Users at lists.macosforge.org
Personal email. hbhotz at oxy.edu
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the SmartcardServices-Users