[SmartcardServices-Users] OS X 10.9 Smart Card Logon But No PKINIT
Henry B Hotz
hbhotz at oxy.edu
Fri May 16 14:54:31 PDT 2014
On May 16, 2014, at 12:08 PM, "Brown, Alexander [USA]" <Brown_Alexander2 at bah.com> wrote:
> Hello,
> I have smart card logon working with Mac OS X 10.9 to a Windows Active Directory domain by using cacloginconfig.plist and mapping based on the NT Principal Name. So this is working ok but when I took a look at the traffic between the Mac and the Windows domain I noticed there wasn’t any Kerberos traffic and PKINIT isn’t being used. Does anyone have PKINIT working with OS X 10.9 and if so can you share some steps on how that is configured? When I have my smart card in and run “kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise” I got the error “kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found”.
What happens if you leave off the --pk-enterprise option off? Would you mind sharing what the certificate looks like?
> The smart card I am using for this is the DoD CAC.
>
>
> Also one other question, does anyone know if any certificate revocation checking takes place on the Mac during smart card logon?
I'm not running 10.9 yet, but I suspect it depends on the system setting for revocation checking.
>
> Alex Brown
> Associate
> Booz | Allen | Hamilton
>
> brown_alexander2 at bah.com
>
> _______________________________________________
> SmartcardServices-Users mailing list
> SmartcardServices-Users at lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
Personal email. hbhotz at oxy.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20140516/005e33ed/attachment.html>
More information about the SmartcardServices-Users
mailing list