<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On May 16, 2014, at 12:08 PM, "Brown, Alexander [USA]" <<a href="mailto:Brown_Alexander2@bah.com">Brown_Alexander2@bah.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div lang="EN-US" link="blue" vlink="purple" style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div class="WordSection1" style="page: WordSection1; "><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Hello,<o:p></o:p></div><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">I have smart card logon working with Mac OS X 10.9 to a Windows Active Directory domain by using cacloginconfig.plist and mapping based on the NT Principal Name. So this is working ok but when I took a look at the traffic between the Mac and the Windows domain I noticed there wasn’t any Kerberos traffic and PKINIT isn’t being used. Does anyone have PKINIT working with OS X 10.9 and if so can you share some steps on how that is configured? When I have my smart card in and run “kinit -C KEYCHAIN: -D KEYCHAIN: --windows --pk-enterprise” I got the error “kinit: krb5_pk_enterprise_certs: Failed to find PKINIT certificate: Certificate not found”. </span></pre></div></div></blockquote><div><br></div><div>What happens if you leave off the --pk-enterprise option off? Would you mind sharing what the certificate looks like?</div><br><blockquote type="cite"><div lang="EN-US" link="blue" vlink="purple" style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div class="WordSection1" style="page: WordSection1; "><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">The smart card I am using for this is the DoD CAC.<o:p></o:p></span></pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; "> </span></pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; "> </span></pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">Also one other question, does anyone know if any certificate revocation checking takes place on the Mac during smart card logon? </span></pre></div></div></blockquote><div><br></div><div>I'm not running 10.9 yet, but I suspect it depends on the system setting for revocation checking.</div><br><blockquote type="cite"><div lang="EN-US" link="blue" vlink="purple" style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div class="WordSection1" style="page: WordSection1; "><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><b><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(31, 73, 125); ">Alex Brown</span></b><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(31, 73, 125); "><br></span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: gray; ">Associate<br></span><span style="font-size: 10pt; font-family: Arial, sans-serif; ">Booz | Allen | Hamilton</span><o:p></o:p></div><div><div class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(31, 73, 125); "><hr size="2" width="120" noshade="" align="left" style="width: 1in; "></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 7.5pt; font-family: Arial, sans-serif; color: rgb(153, 153, 153); "><br></span><span style="font-size: 7.5pt; font-family: Arial, sans-serif; "><a href="mailto:brown_alexander2@bah.com" style="color: purple; text-decoration: underline; "><span style="color: blue; ">brown_alexander2@bah.com</span></a></span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(31, 73, 125); "><o:p></o:p></span></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div></div>_______________________________________________<br>SmartcardServices-Users mailing list<br><a href="mailto:SmartcardServices-Users@lists.macosforge.org" style="color: purple; text-decoration: underline; ">SmartcardServices-Users@lists.macosforge.org</a><br><a href="https://lists.macosforge.org/mailman/listinfo/smartcardservices-users" style="color: purple; text-decoration: underline; ">https://lists.macosforge.org/mailman/listinfo/smartcardservices-users</a><br></div></blockquote></div><br><div apple-content-edited="true">
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div>Personal email. <a href="mailto:hbhotz@oxy.edu">hbhotz@oxy.edu</a></div><div><br></div></span><br class="Apple-interchange-newline">
</div>
<br></body></html>