[SmartcardServices-Users] OS X 10.9 Smart Card Logon But No PKINIT

Henry B Hotz hbhotz at oxy.edu
Fri May 16 14:54:31 PDT 2014

On May 16, 2014, at 12:08 PM, "Brown, Alexander [USA]" <Brown_Alexander2 at bah.com> wrote:

> Hello,
> I have smart card logon working with Mac OS X 10.9 to a Windows Active Directory domain by using cacloginconfig.plist and mapping based on the NT Principal Name. So this is working ok but when I took a look at the traffic between the Mac and the Windows domain I noticed there wasn’t any Kerberos traffic and PKINIT isn’t being used. Does anyone have PKINIT working with OS X 10.9 and if so can you share some steps on how that is configured? When I have my smart card in and run “kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise” I got the error “kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found”. 

What happens if you leave off the --pk-enterprise option off? Would you mind sharing what the certificate looks like?

> The smart card I am using for this is the DoD CAC.
> Also one other question, does anyone know if any certificate revocation checking takes place on the Mac during smart card logon? 

I'm not running 10.9 yet, but I suspect it depends on the system setting for revocation checking.

> Alex Brown
> Associate
> Booz | Allen | Hamilton
> brown_alexander2 at bah.com
> _______________________________________________
> SmartcardServices-Users mailing list
> SmartcardServices-Users at lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/smartcardservices-users

Personal email.  hbhotz at oxy.edu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20140516/005e33ed/attachment.html>

More information about the SmartcardServices-Users mailing list