Hi
Welcome to Centrify community!
After some resaerch online, I noticed that native MacOS smartcard does support Kerberos authentication as mentioned below:
https://www.apple.com/cn/business/.../macOS_Security_Overview.pdf
Meanwhile, I will try to reproduce the issue on Chrome and see if that is an expected behavior. Can you also test with other browser and see if you experience the same problem?
Please keep us posted. Thank you!
BR,
Ivan
I've had no issues with my CAC reader/access until today. I am using a SCR3310 v2.0, Mac High Sierra 10.13.6 and Centrify smart card assistant 5.4.2. In keychain, I already deleted all websites with Identity Preference all all DOD certs. New DOD certs were installed via MilitaryCAC.com.
In Centrify, the card status never gets past "Authentification attempts remaining: 2."
Thank you for any help you can provide.
Below is the log file from Diagnositics (I've removed email addresses below):
Smart card: VERGA.JARED.MICHAEL.1249313420
Certificate: /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=USN/CN=VERGA.JARED.MICHAEL.1249313420
** This certificate has no NT Principal Name
** This certificate has not been mapped to any user
Not valid before: Wed May 05 24 00:00:00 2017 UTC
Not valid after: Sat May 05 23 23:59:59 2020 UTC
This certificate is valid
Policies specified: .2.16.840.1.101.2.1.11.42,
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD ID CA-41
Not valid before: Mon Nov 11 09 16:13:56 2015 UTC
Not valid after: Tue Nov 11 09 16:13:56 2021 UTC
This certificate is valid
This certificate is trusted by the domain
Policies specified: .2.16.840.1.101.2.1.11.36, .2.16.840.1.101.2.1.11.39, .2.16.840.1.101.2.1.11.42, .2.16.840.1.101.3.2.1.3.13, .2.16.840.1.101.3.2.1.3.17,
Require Explicit Policy at depth 0
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 3
Not valid before: Tue Mar 03 20 18:46:41 2012 UTC
Not valid after: Sun Dec 12 30 18:46:41 2029 UTC
This certificate is valid
This certificate is trusted by the domain
** This certificate cannot be used for pkinit
Certificate: /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=USN/CN=VERGA.JARED.MICHAEL.1249313420
Email Address:
NT Principal Name: 1249313420@mil
Not valid before: Wed May 05 24 00:00:00 2017 UTC
Not valid after: Sat May 05 23 23:59:59 2020 UTC
This certificate is valid
Policies specified: .2.16.840.1.101.2.1.11.42,
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-41
Not valid before: Mon Nov 11 09 16:05:27 2015 UTC
Not valid after: Tue Nov 11 09 16:05:27 2021 UTC
This certificate is valid
This certificate is trusted by the domain
Policies specified: .2.16.840.1.101.2.1.11.36, .2.16.840.1.101.2.1.11.39, .2.16.840.1.101.2.1.11.42, .2.16.840.1.101.3.2.1.3.13, .2.16.840.1.101.3.2.1.3.17,
Require Explicit Policy at depth 0
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 3
Not valid before: Tue Mar 03 20 18:46:41 2012 UTC
Not valid after: Sun Dec 12 30 18:46:41 2029 UTC
This certificate is valid
This certificate is trusted by the domain
This certificate can be used for pkinit, testing:
** Data signing failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Signature verification failed: Unknown PKCS#1 padding type 0x45
Public key encryption succeeded
** Private key decryption failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Private key encryption failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Public key decryption failed: Unknown PKCS#1 padding type 0x1f
Certificate: /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=USN/CN=VERGA.JARED.MICHAEL.1249313420
Email Address:
** This certificate has no NT Principal Name
** This certificate has not been mapped to any user
Not valid before: Wed May 05 24 00:00:00 2017 UTC
Not valid after: Sat May 05 23 23:59:59 2020 UTC
This certificate is valid
Policies specified: .2.16.840.1.101.2.1.11.39,
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-41
Not valid before: Mon Nov 11 09 16:05:27 2015 UTC
Not valid after: Tue Nov 11 09 16:05:27 2021 UTC
This certificate is valid
This certificate is trusted by the domain
Policies specified: .2.16.840.1.101.2.1.11.36, .2.16.840.1.101.2.1.11.39, .2.16.840.1.101.2.1.11.42, .2.16.840.1.101.3.2.1.3.13, .2.16.840.1.101.3.2.1.3.17,
Require Explicit Policy at depth 0
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 3
Not valid before: Tue Mar 03 20 18:46:41 2012 UTC
Not valid after: Sun Dec 12 30 18:46:41 2029 UTC
This certificate is valid
This certificate is trusted by the domain
** This certificate cannot be used for pkinit
Thanks!
Currenly Chrome is the only browser working with Centrify Express on MacOS. Safari was working a couple weeks ago, but seems to be tempormental now. I don't believe Firefox was ever supported?
With Chrome, if I completely quit Chrome and start fresh, when I try to authenticate to a website, Chrome will first ask me which certificate I want to use, then prompt for my PIN. Closing the logged in tab, then opening a new tab and navigating back to the same website works. As long as I don't remove my smartcard. Once I remove my smartcard, I can no longer authenticate to any website. I must completely quit Chrome and start over.
This behavior is specific to Centrify Express with the CACNG driver. I didn't experience this with the default OS X CAC driver.
Thanks again for the assistance!
Hi
Welcome to Centrify community!
May we know what are the recent changes that was performed even since the CAC card stop working?
Also, if possible can you perform an upgrade to our latest 5.5.1 agent to see if that helps on the issue?
If it's still fail, can you help run the following command in terminal:
sctool -D > /tmp/sctool.log
Please send us the /tmp/sctool.log for further investigation. Thank you!
BR,
Ivan
Did you take a look at this: Acer Support.
Hi,
I have a different problem with gdm3.
I never had problems with user login through gdm using name.surname@domain.com as username, but after reboot I always have to enter the username again in gdm, it's not listed among gdm user list.
Are you experiencing the same problem ?
thanks
Gabriele
Hello,
When it will be possible to load Mojave Centrify Macos client express edition ?
https://www.centrify.com/support/macos-mojave-download/
At this momoent only previous verstion is accesible at free download page.
https://www.centrify.com/express/linux/download-files/#accordion-download-express-02
Regards,
Alexey
Hello all members,
I do not know who registered or how to retrieve my domain in Centrify Saas.
I do not know the admin account, nothing.
I only have access to my DNS
How should I proceed?
Hi,
I'm having trouble to login users with centrifyad with a Samba Ad.
Can't login and su users.
- adinfo -m shows connected
- adinfo (CentrifyDC 5.5.1-400)
- Linux Debian 9.5 Cinnamon
- adquery user domain_user -A
samAccountName:domain_user
displayName:domain_user
sid:S-1-5-21-543736460-3497894086-1236349235-1107
userPrincipalName:domain_user@domain.lan
canonicalName:domain.lan/domain/diretoria/domain_user
passwordHash:x
guid:e8585021-56bf-4782-9d3f-fabd430ec4d2
accountExpires:Never
passwordExpired:false
passwordExpires:Never
passwordWillExpire:-2
nextPasswordChange:Fri Sep 28 14:07:51 2018
lastPasswordChange:Tue Sep 25 14:07:51 2018
accountLocked:false
accountDisabled:false
requireMfa:false
zoneEnabled:false
memberOf:domain.lan/Users/Domain Users,domain.lan/domain/diretoria/diretoria
root@efi-cli-01:/home/administrator# adinfo --diag
adinfo (CentrifyDC 5.5.1-400)
Host Diagnostics
uname: Linux efi-cli-01 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u4 (2018-08-21) x86_64
OS: Debian
Version: 9.0
Number of CPUs: 4
IP Diagnostics
Local host name: cli-01
Local IP Address: xxx.xxx.xxx.xxx
Not found in DNS!Make sure it is in Reverse Lookup Zone.
FQDN host name:cli-01 (domain missing?)
Domain Diagnostics
Domain: domain.lan
Subnet site: Default-First-Site-Name
DNS query for: _ldap._tcp.domain.lan
Found SRV records:
efi-srv-ad.efiltros.lan:389
Testing Active Directory connectivity:
Domain Controller: efi-srv-ad.domain.lan
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller: efi-srv-ad.domain.lan:389
Domain controller type: Windows 2008 R2
Domain Name: DOMAIN.LAN
isGlobalCatalogReady: TRUE
domainFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
forestFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
domainControllerFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
Forest Name: DOMAIN.LAN
DNS query for: _gc._tcp.DOMAIN.LAN
Testing Active Directory connectivity:
Global Catalog: efi-srv-ad.domain.lan
gc: 3268/tcp - good
Domain Controller: efi-srv-ad.domain.lan:3268
Domain controller type: Windows 2008 R2
Domain Name: DOMAIN.LAN
isGlobalCatalogReady: TRUE
domainFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
forestFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
domainControllerFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
Forest Name: DOMAIN.LAN
Retrieving zone data from domain.lan
Could not get domain RIDs from adclient: Bad data
Computer Account Diagnostics
Joined as: cli-01.domain.lan
Trusted for Delegation: false
Use DES Key Only: false
Key Version: 4
Service Principal Names: cifs/cli-01
cifs/cli-01.domain.lan
ftp/cli-01
ftp/cli-01.domain.lan
host/cli-01
host/cli-01.domain.lan
Supported Encryption Type(s): DES-CBC-CRC
DES-CBC-MD5
RC4-HMAC
AES128-CTS-HMAC-SHA1-96
AES256-CTS-HMAC-SHA1-96
Operating System Version: 6.1:9.0
System Diagnostic
Failed to get sysinfo from adclient.
Centrify DirectControl Status
Running in connected mode
Licensed Features: Disabled
with I try to su domain-user I get
No passwd entry for user 'domain-user'
Hi,
As the login suffix must be unique in Centrify, you could only choose another suffix if it has been used by someone else.
As you said you do not have admin account, may I know where you setup the login suffix?
Thanks,
Vicki
I'm having this problem with some users and others can login in the same PC.
Linux Debian 9.5
$adinfo -m
connected
$ adinfo -v
$ adinfo (CentrifyDC 5.5.1-400)
$ /usr/share/centrifydc/kerberos/bin/kinit ad-user
Password for ad-user@DOMAIN.LAN:
$ /usr/share/centrifydc/kerberos/bin/klist
Ticket cache: FILE:/tmp/krb5cc_830472692
Default principal:ad-user@DOMAIN.LAN
Valid starting Expires Service principal
28-09-2018 11:15:58 28-09-2018 21:15:58 krbtgt/DOMAIN.LAN@DOMAIN.LAN
renew until 29-09-2018 11:15:45
$ id ad-user
id: ‘ad-user’: no such user
$ getent passwd ad-user
$ adquery user ad-user
ad-user is not a zone user
This same user can login in another PC. It happens in another PC with others users.
Hello Vickiz
but we need to bind the (login) the same as the email address.
Let's integrate the AD with Centrify as well.
Welcome back to Centrify.
Note that you are adding a comment to a thread that has been resolved. In the future, try a new thread.
In your case, are you running in zone mode or in workstation (Auto Zone/Express) mode? (adinfo --zone)
You can always kinit (obtain a Kerberos TGT) regardless of the user being valid for the system (valid = resolvable, authorized to log in), since you're bypassing the NSS and PAM stacks.
However, as your output demonstrates, does not mean that the user is valid for the system. Possible causes:
In Auto Zone - user is not in a favorable side of a one-way trust (Kerberos will work because KDCs are available and configured).
In Zone Mode:
a) User may not have a UNIX profile (e.g. login, UID, GID, Home, GECOS, Shell).
b) User is not authorized to log in (e.g. does not have the PAM right).
c) Incorrectly created role.
d) User's role assignment has expired.
R.P
Please use Microsoft Active Directory.
Also, Windows 2008 R2 behaviors have been deprecated for a while in the newer clients.
Welcome to the Centrify forums.
I believe the last link you posted has the proper version of the software.
R.P
Thank you !
Are you using Centrify Express?
If you are, note that Acces control is a feature of the commercial product. The cross-platform feature is called DirectAuthorize. https://community.centrify.com/t5/Centrify-Infrastructure-Services/FAQ-What-is-DirectAuthorize-dzdo-dzwin/td-p/21193
With Express can leverage SSH directives or PAM modifications to achieve it.
Some history on this (e.g. access controls features being exclusive to commercial versions): https://community.centrify.com/t5/Centrify-Express/access-controls/td-p/18397
R.P
any alternative?
Or unfortunately I lost my domain suffix?
Are you using Express or the commercial version?
If using the commercial version and are using professional services, discuss with your implementation lead. This is typically part of your design conversation.
Note you can also create an alias.
https://docs.centrify.com/Content/CoreServices/UsersRoles/ADCreateAlias.htm
R.P
