[SmartcardServices-Users] OS X 10.9 Smart Card Logon But No PKINIT

Yoann Gini yoann.gini at gmail.com
Fri May 16 15:23:05 PDT 2014


Le 16 mai 2014 à 21:08, Brown, Alexander [USA] <Brown_Alexander2 at bah.com> a écrit :

> I have smart card logon working with Mac OS X 10.9 to a Windows Active Directory domain by using cacloginconfig.plist and mapping based on the NT Principal Name. So this is working ok but when I took a look at the traffic between the Mac and the Windows domain I noticed there wasn’t any Kerberos traffic and PKINIT isn’t being used. Does anyone have PKINIT working with OS X 10.9 and if so can you share some steps on how that is configured? When I have my smart card in and run “kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise” I got the error “kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found”. The smart card I am using for this is the DoD CAC.

I’ve got this problem too. I’ve found (via reverse engineering) that the Kerberos framework has some problems in the algo used to validate the certificate on the card. It seems to see it but don’t take it as valid.

I’ve use my contact at Apple to forward the information to Shawn Geddis but I’ve never got any answer.

It’s here since 10.9.0.

Maybe I’m wrong in my debug work, and maybe we’ve both do the same mistake in the cacloginconfig.plist…

If you need a quick workaround, go to third part middleware, they make PKINIT work.

Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20140517/b034553d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4806 bytes
Desc: not available
URL: <https://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20140517/b034553d/attachment-0001.p7s>

More information about the SmartcardServices-Users mailing list