I have done the install and then the trouble shooting for Installing CAC card reader, enabler, and particular Certificates for CAC card as suggested on militarycac.com. I have also tried the trouble shooting of these as well. I can now use CAC card to digitally sign in Adobe, but am no longer prompted to use it to sign into my computer. I have tried signing into my mail.mil account using Safari, Chrome, Firefox (manually installed the CERTS/Authorities and manually "trusted" them for Firefox). I went through all the certs in my keychain and manually trusted the "x" ones. I have also deleted the certs specified on miltirarycac.com to delete for Mac Users. I have done so much trouble shooting, deleting, and manipulating that I am afraid I don't know if I have messed things up more or actually fixing things? This is a new computer and my CAC card has never worked properly (I first had a Cherry ST-1044 USB Smart Card, websites did not work, adobe digital sign did not work, and it was not showing up properly in my keychain or in my "about MAC"). It did however work when I started up my computer - it used CAC as sign-in instead of username/PW (with my new SCR 3310 this does not work). I changed CAC card readers to the SCR 3310 v2 in hopes that this would work, no luck. Note I can access these Websites Via my FED Dell, My personal Dell, and my State GOV Dell.
Here are the details of my software/hardware:
1) MacBook Pro Late 2017 w/ Touch Bar with integrated Touch ID sensor
2) OX Sierra 10.12.4
2) SCR 3310 v2 CAC card reader
3) Browser - Safari Version 10.1 (12603.1.30.0.34)
4) Chrome - Version 57.0.2987.133 (64-bit)
5) FireFox - 52.0.2 (64-bit)
6) Centrify Smart Card Assist Version 5.3.3 (533602)
7) security/anti virus (Have avast free, but it is not installed - wanted to figure out cac card issue first)
8) CAC Card Chip Type GEMALTO DLGX4-A 144
Websites I need to access (representative list) - Errors on Chrome (different errors on Safari & Firefox, but still cant login). I have also tried clearing all cookies & browsing history and allowing all exceptions for these sites, and adding "trust" to all content types for these sites.
1. AKO https://www.us.army.mil
- Chrome -Click on sign-in using cac - Cac credentials popup and I select DOD IS CA-33 with my name- error message after type in CAC pin - https://www.us.army.mil/suite/login/cacRegError.ext?error=7 (I called AKO to see if there were other issues for this site, and they have reset my account to make sure) - I will wait on this issue.
2. GKO -https://gko.ngb.army.mil/ -
- chrome splash loads fine, but then login gives me ERR_TIMED_OUT when trying to reach - https://gkoportal.ng.mil Firefox - splash loads fine - then no popup to select CAC details and no prompt for pin then I get the error page
- Safari - splash works fine
- does not pop up for profile CAC selection or CAC Pin then I get this page
3. EMAIL
- CHROME
- https://web.mail.mil then after click ok on splash page I select from drop down my email cac profile and enter pin. In Chrome = ERR_TIMED_OUT. When I use https://web-mont01.mail.mil/ I get ERR_SSL_PROTOCOL_ERROR occurs with this email URL
- OR for web.mail.mil will give me
"Your session could not be established.
- The session reference number: 12c2e4de
BIG-IP can not find session information in the request. This can happen because your browser restarted after an add-on was installed. If this occurred, click the link below to continue. This can also happen because cookies are disabled in your browser. If so, enable cookies in your browser and start a new session. - Thank you for using BIG-IP.
- To open a new session, please click here."
- Using Safari using web.mail.mil asks for a redirect to https://web-mont01.mail.mil/
SCREEN SHOWS - WITH OUTLOOK ICON & LOGO
- Use the following link to open this mailbox with the best performance:
- Connected to Microsoft Exchange
- then IN REDIRECT SPLASH POLICY PAGE I click okay from policy page I get this error
"Your session could not be established.
The session reference number: b896d5aa
Access was denied by the access policy. This may be due to a failure to meet access policy requirements.
If you are an administrator, please go to Access Policy >> Reports : All Sessions page and look up the session reference number displayed above.
To open a new session, please click here."
- Firefox
- for https://web.mail.mil& https://web-mont01.mail.mil/owa - I get to the splash policy page, click okay, then I get this error (same with the exception of the URL address)
- Secure Connection Failed
An error occurred during a connection to web.mail.mil. SSL peer was unable to negotiate an acceptable set of security parameters. Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
I ws going to try to attach the screenshots I had of everything, but I am unable to do that or put them in text, so hopefully what I have provided is enough. Below is the log from centrify.
Thank you in advance, any help/advice would be greatly appreciated (as apple, the G6 and other Fed IT have not been any help),
Shelby
CENTRIFY RUN 20170424 - 1321
Smart card: MANNEY.SHELBY.ARICA.1516595198
Certificate: /C=US/O=U.S.
Government/OU=DoD/OU=PKI/OU=USA/CN=MANNEY.SHELBY.ARICA.1516595198
** This certificate has no NT Principal Name
** This certificate has not been mapped to any user
Not valid before: Mon Jun 06 07 00:00:00 2016 UTC
Not valid after: Fri Dec 12 01 23:59:59 2018 UTC
This certificate is valid
Policies specified: .2.16.840.1.101.2.1.11.9, .2.16.840.1.101.2.1.11.19,
** Could not get issuer certificate: Issuer certificate for /C=US/O=U.S.
Government/OU=DoD/OU=PKI/OU=USA/CN=MANNEY.SHELBY.ARICA.1516595198 not found
** This certificate cannot be used for pkinit
Certificate: /C=US/O=U.S.
Government/OU=DoD/OU=PKI/OU=USA/CN=MANNEY.SHELBY.ARICA.1516595198
Email Address: shelby.a.manney.nfg@mail.mil
NT Principal Name: 1516595198@mil
Not valid before: Mon Jun 06 07 00:00:00 2016 UTC
Not valid after: Fri Dec 12 01 23:59:59 2018 UTC
This certificate is valid
Policies specified: .2.16.840.1.101.2.1.11.9, .2.16.840.1.101.2.1.11.19,
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-33
Not valid before: Tue Sep 09 23 13:34:57 2015 UTC
Not valid after: Tue Sep 09 22 13:34:57 2021 UTC
This certificate is valid
This certificate is trusted by the domain
Policies specified: .2.16.840.1.101.2.1.11.5, .2.16.840.1.101.2.1.11.9,
.2.16.840.1.101.2.1.11.17, .2.16.840.1.101.2.1.11.18, .2.16.840.1.101.2.1.11.19,
.2.16.840.1.101.3.2.1.3.26, .2.16.840.1.101.3.2.1.3.27,
Require Explicit Policy at depth 0
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2
Not valid before: Sun Dec 12 13 15:00:10 2004 UTC
Not valid after: Tue Dec 12 05 15:00:10 2029 UTC
This certificate is valid
This certificate is trusted by the domain
This certificate can be used for pkinit, testing:
Data signing succeeded
Signature verification succeeded
Public key encryption succeeded
Private key decryption succeeded
Decrypted data matched original
Private key encryption succeeded
Public key decryption succeeded
Decrypted data matched original
Certificate: /C=US/O=U.S.
Government/OU=DoD/OU=PKI/OU=USA/CN=MANNEY.SHELBY.ARICA.1516595198
Email Address: shelby.a.manney.nfg@mail.mil
** This certificate has no NT Principal Name
** This certificate has not been mapped to any user
Not valid before: Mon Jun 06 07 00:00:00 2016 UTC
Not valid after: Fri Dec 12 01 23:59:59 2018 UTC
This certificate is valid
Policies specified: .2.16.840.1.101.2.1.11.9, .2.16.840.1.101.2.1.11.19,
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-33
Not valid before: Tue Sep 09 23 13:34:57 2015 UTC
Not valid after: Tue Sep 09 22 13:34:57 2021 UTC
This certificate is valid
This certificate is trusted by the domain
Policies specified: .2.16.840.1.101.2.1.11.5, .2.16.840.1.101.2.1.11.9,
.2.16.840.1.101.2.1.11.17, .2.16.840.1.101.2.1.11.18, .2.16.840.1.101.2.1.11.19,
.2.16.840.1.101.3.2.1.3.26, .2.16.840.1.101.3.2.1.3.27,
Require Explicit Policy at depth 0
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2
Not valid before: Sun Dec 12 13 15:00:10 2004 UTC
Not valid after: Tue Dec 12 05 15:00:10 2029 UTC
This certificate is valid
This certificate is trusted by the domain
** This certificate cannot be used for pkinit