That seems ot have worked. Thanks!
I didn't see that on the page you linked to...
↧
Re: Card seen but no certs on it? (Mac)
↧
Re: Smart Card Not Read - Mac OSX El Capitan 10.11.6
Can you confirm is the reader youre using is the SCR3310 or the SCR3310V2? Also, can you include a screen shot of the system report screen?
-Cameron
↧
↧
Reader does not read my PIV card
Hello!
Issue: Reader is not recognizing my PIV card. When I plug the card into a reader, open Smart Card Assist, Diagnostics, Run, I get this output "Smart card: CAC-0000-0000-0000-0000-0000." Under Card Status, I get reader, "SCM Microssystems Inc. SCR3310" Status, "Authentication attempts remaining: 7." When I open Keychain Access, I get the same keychain identifier above "login" as CAC-0000-0000-0000-0000-0000.
Attempts: I followed several of your posts about cleaning up the computer. I uninstalled centrify, removed tokens, reinstalled centrify, restarted the computer and did a few other things. The reader seems to work, co-workers have tried their badges on the same reader and the same computer and the badge was successfully read. When at VA workstation, my PIV card is read with no issues.
Any ideas?
↧
Re: Reader does not read my PIV card
I made a mistake when describing my issue. My computer does not read any badge. My badge is able to be read on other computers with the same reader that does not work on my computer.
Sorry for the confusion!
↧
SystemCACertificate.keychain not on system
I am attempting to install Centrify Express on a MacBook Pro running MacOS 10.12. SystemCACertificate.keychain is not on my machine. I have read the other posts on this subject and I am absolutely sure that I am looking in the correct location. I have looked in the /System/Library/Keychains folder using terminal while logged in as root and it is not there. I also followed the procedure for downloading the DOD certs and have installed them all on my machine and it is still not there. I am at a loss as to what I should do next.
Thanks in advance
↧
↧
Re: SystemCACertificate.keychain not on system
I am having the exact same problem -- I think it is an issue related to the upgrade to MacOS 10.12 (Sierra) because I did not have this issue prior to the upgrade.
Interestingly I can successfully access a number of CAC-enabled websites such as: hrc.army.mil and https://web.mail.mil.
However, I cannot access https://www.us.army.mil. When I try to login to this AKO site, I can select my CAC, input my CAC pin, and then I get an error screen that says "Safari can't open the page ... because Safari can't establish a secure connection to the server 'certificate.us.army.mil."
Can someone help us?
↧
Re: SystemCACertificate.keychain not on system
Did you ever solve the problem?
↧
Re: SystemCACertificate.keychain not on system
Nope. Still having the problem.
↧
Centrify "ldapsearch" cannot seem to find local CA Certificate location
Hi,
I'm new to Centrify and hope a Guru might be able to help me....
I've setup a CentOS 7.2 a bunch of machines with CentrifyExpress have setup a Microsoft 2012 R2 Active Directory Pair and have purchased and installed Public Certificates into both my AD machines....
I've joined the AD Domain on each of my CentOS 7.2 machines using (this is an extract from a script):
adjoin -u $ADJOIN_USER -p $ADJOIN_PASSWORD -c $AWS_CLIENT_DS_OU -w $AWS_DOMAIN_NAME --prewin2k $PREWIN2K_HOSTNAME
The Centrify "adjoin" command on all my CentOS 7.2 machines shows they have successfully joined the AD (and I can see my Microsoft 2012 R2 Active Directory domain controllers listed as "connected").
Now....I'm trying to do an "ldapsearch" using the following CentrifyExpress command:
[root@machine]# /usr/share/centrifydc/bin/ldapsearch -d1 -v -LLL -H ldaps://{my-domain-controller-1}.{my-domain.com}:636 -b ou={level-4},ou={level-3},ou={level-2},ou={level-1} -x -D {username}@{my-domain.com} -w {my-password} userPrincipalName={username}@{my-domain.com}
But it fails with an error "TLS certificate verification: Error, unable to get local issuer certificate" (see below).
Can someone confirm if this is an issue with not having put the Public Certificate on each local machine ?
If so, are there centrify instructions on how/where I might need to put the certificate ?
Paged Search is enabled by default: PageSize=100/Prompt=No.
ldap_url_parse_ext(ldaps://{my-domain-controller-1}.{my-domain.com}:636)
ldap_initialize( ldaps://{my-domain-controller-1}.{my-domain.com}:636/??base )
ldap_create
ldap_url_parse_ext(ldaps://{my-domain-controller-1}.{my-domain.com}:636/??base)
centrifydc_url_parse: Failed to find target service for domain{my-domain-controller-1}.{my-domain.com}, assuming this is the actual server name.
ldap_url_parse_ext(ldaps://{my-domain-controller-1}.{my-domain.com}:636/??base)
Using NETWORK TIMEOUT value: 15 sec
Using API TIMEOUT value: 15 sec
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP{my-domain-controller-1}.{my-domain.com}:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.X.Y.Z:636
ldap_pvt_connect: fd: 3 tm: 15 async: 0
ldap_ndelay_on: 3
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 3 tm: 15
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_pvt_connect: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 20, subject: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Thanks,
Damion.
↧
↧
Re: Centrify "ldapsearch" cannot seem to find local CA Certificate location
Hi Damion-
Most of what you're asking for can be found in the LDAP Proxy blog I wrote a few weeks back:
However, in my overview, all the steps are based on using an Active Directory-based CA for all the certificate inputs and covers both the LDAP client and server configurations. Any reason you chose to use a public certificate? Would you mind giving me some context on what you're searching the directory for? Perhaps there's a more elegant way of doing it.
If not, in order to talk ldaps/636 to Active Directory, you will have to configure the OpenLdap client for TLS support before any such searches would work. This is usually a PEM file converted from the domain certificate chain file if your machine enrolls with your CA. I'm not entirely sure what the converison would look like with the public certificates you purchased for your domain controllers but I'm guessing you can export the certificate chain and do the conversion manually. From there adding the line:
TLS_CACERT /pathToYourPEM/YourPem.pem
to the /.../openldap/ldap.conf file.
Again, depending on your overall goal for the search, the Standard edition of Server Suite with it's distribution of OpenLDAP and the included LDAP Proxy might be a much easier way to prefilter your results.
It's probably worth mentioning that you can also just change your search to ldap://:389 in your search syntax if you just want use OpenLDAP to gather some directory data for you without the hassle of TLS.
Hope that helps.
--Mike
↧
Re: SystemCACertificate.keychain not on system
Hi,
So, if you open up keychain access- do you not see any DoD CA certs under System > Certificates, after importing?
↧
Re: iOS Centrify Express users being prompted to put in "App Specific" passwords all of a
1. Our Google Apps users with the issue, all have 2-factor enabled. We use Centrify to push the Mail settings so that when a user logs into Centrify, it gets a payload for Exchange settings, which in turn uses the user's email address as the username, and the Exchange settings for Google, like 'm.google.com' for the server name. All users are using the standard iOS Mail account to manage their email.
This issue just happened again, about 1/2 hour ago, but not to all users, which is strange.
We also noticed today, that there seems to be a duplicate setting when you go into the Mail settings, it looks like there are two payloads being delivered (i.e. Setting, Mail, Accounts, "Name of our Payload" delivered via AD/Centrify). When the app specific password is entered, the 2nd account goes away.
2. I am not sure about this - the symptom is that all the users contacts, emails, etc go away. I'm not sure if they were attempting to access the Mail.app or not.
3. Yes.
Thanks for the info on capturing the logs.
↧
Updating Expired PIV Certificates
I recently had to update my expiring certificates on my PIV card. After the update, I was able to use the PIV card to authenticate on Windows machines, but my MAC still show only the expired certificates in Keychain under "PIV-XXXXX" in the upper left hand corner of Keychain.
I have tried the following:
1) Followed the instructions to "Download Intermediate Certificates into Keychain", based upon the advice in other posts. However, this did not enable the new PIV certificates to appear.
2) Uninstalled and reinstalled Centrify Express.
3) Run diagnostics ... this just verified that the certificates that my MAC sees are all expired. It doesn't seem to be able to pick up the new certificates from the card.
↧
↧
Re: SystemCACertificate.keychain not on system
I have the same problem.
When I open keychain access, I see login, system, among others, along with SystemCACertificates, but the icon is different. It is a white square with dashed outline. When I hover over it, it points to the correct location (/System/Library/Keychains/SystemCACertificates) but it isn't in there.
In the Keychains folder, the other 4 files that were there in OSX 10.11 are still there. They include: EVRoots.plist, SystemRootCertificates.keychain, SystemTrustSettings.plist, and X509Anchors. That's it.
I found the SystemCACertifcates from a git site but I don't have the necssary directory ownership or permisions to put it in that folder. I know exactly what needs to be done to solve this, but it seems like I'm just not allowed to put the file in that folder.
↧
Mac OS X Sierra. Should I choose CAC or PIV?
After upgrading to Sierra and I still had an older version of Express, it asked if I wanted to set up my system for CAC, CACNG, or PIV. If I chose PIV, will that screw up my system? Can I change that choice? I've since updated the Express after following all of the clean uninstall instructions, but I was never asked again what the choice was for the system.
I've notice a few strange behaviors, when asked to access my login keychain (to save a new password) if my card is in the reader, by username is greyed out and my password doesn't work. I pull the card out and it works. Also, in my login screen, believe it says pin instead of password if my card is in the reader. This makes be believe the system is set up for PIV.
I'm not sure if this the problem, but I can't access many any CAC enabled DOD sites. I also noticed that I don't have a SystemCACertificates.keychain. I've associated my problems with this missing keychain, but now I'm wondering if I screwed up my system by selecting PIV. I saw another post question about the SystemCACertificates so if someone has a solution to that problem, look for that thread instead.
Thanks for your help!
↧
Re: SystemCACertificate.keychain not on system
I can't validate this site, I'm providing this purely as information. Use at your own peril -But do tell if you get it to work. I tried to cp the SysCACerts into System/Library/Keychains as root but I was still denied. Maybe I did it wrong so let me know if it works for you... SystemCACertificates.keychain here:
https://github.com/aosm/security_certificates/tree/master/BuiltKeychains
https://github.com/aosm/security_certificates/tree/master/BuiltKeychains
↧
Re: SystemCACertificate.keychain not on system
Thank you, this was exactly what I was looking for. My first attempt to move the certs using the root account wasn't successful but I'll try it again once I look at the file permissions. Thanks again.
↧
↧
Re: SystemCACertificate.keychain not on system
Thanks for the heads up on the site. Certificate obtained. I haven't had any luck getting the file into the proper folder, even when logging in as root. At any rate, I'm closer than I was before...
Thanks for the help. Please post if anything resolves. Cheers-
↧
Re: Mac OS X Sierra. Should I choose CAC or PIV?
Thanks for you response Albert,
I think I had 5.1.7 installed at the time but I'm not sure. It would have been a few years old by now. Maybe 4.1.7?
I believe it was express, I know it was free so assuming express was the only free version in the past 2-3 years, that must have been it.
I wish I could reproduce the prompt that I saw. However, I had just opened Express a few days earlier (when I began noticing I couldn't sign pdfs back with OS X 10.11.?) so when it popped up after installing Sierra it looked familiar to me. That is why I believe it was Smart Card Assistant.app. I'm away from my backup disc until Tuesday afternoon or Wednesday morning. I will attempt to go back to the prior Express install using time machine unless you think that is a bad idea. Let me know.
If it helps, I ran the diagnostics with Express 5.3.3 the current version. I can send that to you privately if that helps as well.
Thanks!
↧
How to configure kerberos using centrify for security
I need to setup namenode HA and kerberos using certify on hortonworks...
can anyone help me by giving links or steps to configure kerberos with centrify on hortonworks
↧