Ignore any certificate that displays This certificate cannot be used for pkinit , as such certificates are not applicable for system logins. If the message Cannot locate NT principal name in AD is displayed for a certificate that can be used for pkinit, make sure the user has been configured correctly in Active Directory Users and Computers.
MilitaryCAC's Apple / Macintosh CAC Enablers Page
If the UPN on the smart card is something other than mil , make sure that the adclient. For example, if the UPN on the smart card is mysmartcard. In the list of users, right-click the user who is attempting to log in, and select Properties.
Select the Account tab in the Properties dialog and verify that the name in the User logon name field matches the NT Principal Name on the smart card. If the preceding steps have been verified and smart card logins still fail, there might be a compatibility issue between the smart card and the Mac OS itself. If necessary, contact Centrify Support and provide the information described in Collecting information specific to smart card log in failure.
All idaptive. Diagnosing smart card log in problems Two general methods for diagnosing smart card log in problems are provided: By using the sctool utility as described in Using sctool By performing the diagnostic procedures described in this section. Ensure that the Mac computer is able to recognize the smart card. To do so, open Keychain Access and insert the smart card into the reader. The card should appear in the Keychain Access window as another Keychain with its certificates loaded. If the smart card does not appear in the Keychain window: Ensure that the firmware of the smart card reader has been updated to the latest version.
Hope it helps!
I just had a chance to test the new Yosemite Still no idea why this is happening — on other versions of OS X my smart card credentials transparently passed onto the OS. As of the time I wrote this article, the state of freely available open source software for PIV smart card support on Yosemite is pretty lacking.
A Contemporary Overview of Smart Card Support on macOS
I expect the state of open source smart card and tokend implementations to get better and more easily usable on Yosemite so I may only be using the Thursday product for a short time. It did, however work fast and got me successfully logged onto the remote VPN server. This was not something I needed to do on OS X I do some subcontracting work for a few US Government agencies, one of which requires me to be able to connect remotely to US.
GOV networks and infrastructure.
The way I connect is via a federal standard PIV Card which is a very cool physical badge that doubles as a holder of biometric and personal crypto certificate information. Two-factor authentication is achieved by having to punch in a PIN code when my certs are presented to the remote system. From what I can tell, PIV cards are very similar to the CAC cards carried by military members that are often required for secure web browsing and access to military resources In fact, when searching the internet for PIV assistance you will find that some of the best help resources are coming from the military CAC-user community.
What you want to see is the certificates and credentials that are stored on the smart card.
Disable smart card-only authentication
This may not be an issue for an upgraded system but on my brand new laptop my host OS was missing the intermediate certificate trust chain. The solution is to go out and install the intermediate certificates necessary to build the full lenght trust chain. The source of trust chain certificates almost certainly depends on what agency you work for or are trying to access. Installing the certificates results in a chain of trust that culminates with your personal PIV certificates being recognizes as trusted:.
- recover mac password without cd.
- smartcard | orahehunumen.tk.
- Using PIV smart cards for HHS VPN login with Mac OS X 10.10 Yosemite.
This should be all you need to access or login to PIV-enabled websites. Using the steps outlined above I can successfully authenticate to the remote access environment I need to use on a daily basis. However, on my older laptop my PIV card credentials were transparently passed onto the Windows OS as well and I was not prompted for a second login.
That is not the case now. Not optimal but it works for my purposes. Longer term I want this issue to go away. Will update this post as needed.
Awesome self-paced IPv6 certification from HE. Trends from the Trenches, Exact same issues using Centrify and the DHS setup.
I suspect there is something that needs to be configured differently on the Win server piece. This is something Citrix would need to resolve with their application on their end. You may want to check with your network administrator to see if web access is available. Similar issue but with different pieces. This issue occurs for us with Centrify and Mac Accessing a Windows server fileshare. Apple has release Yosemite