Using PIV smart cards with Mac OS X 10.10 Yosemite

20 Oct 2014 Using PIV smart cards with Mac OS X 10.10 Yosemite

Using PIV smart cards for HHS VPN login with Mac OS X 10.10 Yosemite

Note: This entire post is basically google search bait designed to (hopefully) allow others struggling with the same issues to save a bit of time. Hope it helps!

IMG 5336
IMG 5337

October 30, 2014 Update

There is an active Citrix support thread on the “no valid certificates found” issue. If this is bothering or interesting you, you may want to monitor this URL: http://discussions.citrix.com/topic/357156-no-certificate-found-at-windows-logon-screen-for-smartcard-authentication/

October 24, 2014 Update

The bulk of this post concerns the $29 Pkard product from Thursby which is the first I found with explicit OS X 10.10 support. I just had a chance to test the new Yosemite 10.10 compatible free SmartCard utility from Centrfy mentioned here: http://www.centrify.com/mac/smartcard/free-smart-card-for-federal-military-cac-piv.asp
. Long story short: It works to get past the VPN gateway but throws the same “no valid certificates found” error when trying to login to the Windows desktop via a Citrix Receiver client. Still no idea why this is happening – on other versions of OS X my smart card credentials transparently passed onto the OS. Still – consider the Centrify software if you don’t want to spend $29.

Short Summary

I need to use a HHS PIV card to remotely access computer systems from a brand new Macbook air running OS X 10.10 Yosemite. As of the time I wrote this article, the state of freely available open source software for PIV smart card support on Yosemite is pretty lacking. This will change but if you are in a hurry (as I was) the best thing you can do in the short term is pay $29.95 for the Thursby PKard software from http://www.thursby.com/products/pkard-mac — it installed seamlessly and allowed me to login via VPN although for some reason my certificates were not passed on to the Windows remote desktop system, hopefully I don’t need the $179 “ADmitMac” product for that.

I expect the state of open source smart card and tokend implementations to get better and more easily usable on Yosemite so I may only be using the Thursday product for a short time. It did, however work fast and got me successfully logged onto the remote VPN server.

Current status: Thursby PKard software works well on Yosemite for VPN access but the Windows desktop I get sent to via a Citrix client reports “no valid certificates” and I’m forced to use my standard user login name and password to complete the final authentication. This was not something I needed to do on OS X 10.7 or 10.7 with the open source smart card software stack.

Background

I do some subcontracting work for a few US Government agencies, one of which requires me to be able to connect remotely to US.GOV networks and infrastructure. The way I connect is via a federal standard PIV Card which is a very cool physical badge that doubles as a holder of biometric and personal crypto certificate information. When I’m trying to physically enter a building the PIV card is my secure photo ID badge (with backup biometrics and fingerprints stored o it) — when I try to enter a US Government network “virtually” the same PIV card doubles as VPN access device because it contains a personal set of crypto keys that uniquely identify me. Two-factor authentication is achieved by having to punch in a PIN code when my certs are presented to the remote system. It’s a very slick and interesting system.

From what I can tell, PIV cards are very similar to the CAC cards carried by military members that are often required for secure web browsing and access to military resources In fact, when searching the internet for PIV assistance you will find that some of the best help resources are coming from the military CAC-user community. A perfect example of this is https://militarycac.com/macnotes.htm and https://militarycac.com/cacenablers.htm – the site that I turned to first when looking for OS X Yosemite PIV/smartcard status info.

My Gear

Getting the PIV card to work on 10.10 Yosemite

Verify your reader works

Attach your reader, use the OS X “About this Mac” -> “System Report” function to verify that your computer and OS actually see and recognize a smart card device:

System InformationScreenSnapz001

 

Buy and install the PKard software

FinderScreenSnapz001

PKard AssistantScreenSnapz002
Launch OS X Keychain Assistant

What you want to see is the certificates and credentials that are stored on the smart card. If your USB reader and the PKard software are working, Yosemite 10.10 can now “see” the crypto info stored on the PIV card

Keychain AccessScreenSnapz001

 

Fix the Trust Chain (If your PIV certificate is not trusted)

This may not be an issue for an upgraded system but on my brand new laptop my host OS was missing the intermediate certificate trust chain. Keychain Assistant helpfully throws up the red text saying: “This certificate was signed by an unknown authority

OS X Yosemite does not “trust” the Certificate Authorities that signed my PIV card certificates.

The solution is to go out and install the intermediate certificates necessary to build the full lenght trust chain.

The source of trust chain certificates almost certainly depends on what agency you work for or are trying to access. In my case I needed the US GOV Health and Human Services (HHS) intermediate certificates and the best online resource I found for HHS certificates needed for PIV cards is actually over on a NIH hosted site:

https://ocio.nih.gov/Smartcard/Pages/PKI_chain.aspx

I downloaded and installed the “HHS Entrust FPKI Certificate Chain” from the above website:

 

Google ChromeScreenSnapz002
Installing the certificates results in a chain of trust that culminates with your personal PIV certificates being recognizes as trusted:

Keychain AccessScreenSnapz002

Now Test

At this point you have a recognized USB card reader, your personal PIV certificates are visible to Mac OS X and the trust chain is complete. This should be all you need to access or login to PIV-enabled websites.

I removed screenshots showing the portal site I was logging into out of paranoia so I can’t show examples of successful logins. I’ll just show this OS X window which is the system prompt you get when your certificate is being used and the host OS wants to verify your PIN code as part of the two-factor authentication process.

If you see this, this is your PIN entry prompt and it means that stuff is generally working:

PreviewScreenSnapz001

Remember that this is where your PIN goes, ignore the system text about “keychain password” …

Minor Issue

Using the steps outlined above I can successfully authenticate to the remote access environment I need to use on a daily basis. However, on my older laptop my PIV card credentials were transparently passed onto the Windows OS as well and I was not prompted for a second login.

That is not the case now. After getting past the VPN, the remote desktop session can’t see my PIV certificate and I have to fallback to using standard AD username and password. Not optimal but it works for my purposes.

Longer term I want this issue to go away. I’m not sure if it’s a Citrix Receiver issue or perhaps this is a designed-in behavior of the Thursday software designed to upsell software that offers more functionality. I was willing to pay $29.99 for the functionality I needed and the software and documentation is great but I’m not going to shell out $179 for SSO access to a Windows Desktop.

Citrix ViewerScreenSnapz002

 

I’m going to keep researching this and will keep an eye on the state of open source / free smart card services for Yosemite 10.10. Will update this post as needed.

11 Comments
  • Scott
    Posted at 11:46h, 29 October Reply

    Exact same issues using Centrify and the DHS setup. I suspect there is something that needs to be configured differently on the Win2008 server piece.

  • SH
    Posted at 12:05h, 29 October Reply

    I got the same message once I got to the Citrix viewer.

  • Jim Thomas
    Posted at 12:33h, 20 November Reply

    According to http://support.citrix.com/article/CTX128418 , Mac and mobile Citrix Receivers currently DO NOT support smart card. It sounds like the Citrix Receiver doesn’t have the ability to use the smart card credentials that PKard for Mac has made available. This is something Citrix would need to resolve with their application on their end.

    We do have customers that authenticate to web-based Citrix portals via PIV/CAC using Safari or Google Chrome. You may want to check with your network administrator to see if web access is available.


    Jim Thomas
    Senior Support Specialist
    Thursby Software Systems, Inc.

  • Mike
    Posted at 16:53h, 21 November Reply

    Similar issue but with different pieces. This issue occurs for us with Centrify and Mac 10.7 and 10.9 clients, user logged in with CAC, connected through Cisco VPN, then login fails when:
    1. Using Microsoft’s Remote Desktop Connection, both old and new (iTap) versions to connect to desktop PC.
    2. Accessing a Windows 2008 server fileshare.

    Not fun.

  • Andy Banks
    Posted at 12:53h, 23 April Reply

    Apple has release Yosemite 10.10.3 which has fixed a lot of their Smart Card bugs from the initial Yosemite release. The Navy is reporting success with this newest release.

  • Frank Campbell
    Posted at 10:54h, 13 July Reply

    I have 10.10.3 Yosemite using SCR-3500 card reader and I tried CACKey, Centrify Express, etc…

    THe need is to log into a VPN and then MS RDP to a windows client. The Windows client is requesting a PIV Card of which it does work if I use another Windows computer but dies NOT work with the Macbook Pro.

    I really need the Mac to work using CORD to MS RDP and then authenticate into the MS RDP client reading my card off the Macbook that has a SCR-3500 reader.

    The first issue is in Keychain, I don’t even see any PIV… above the login on the side menu. Please help. Thx so much

    F

  • Gary Thompson
    Posted at 10:44h, 14 July Reply

    Just wondering what browser you are using to access Citrix?

  • JH
    Posted at 20:52h, 13 August Reply

    anyone manage to get smartcard login working on a mac without AD integration? Talking local login with PIV/CAC without extra software?

  • Mouse Mousevich
    Posted at 01:20h, 01 August Reply

    Probably a bit late to reply, but yes – smartcard login on a Mac without AD integration is simpler than with AD. Unfortunately, without extra software it would not be possible, as Apple does not ship middleware necessary to interface between the smartcard and the OS and applications such as Keychain Access. Note that we are talking Mac OS X 10.9.x – 10.11.x. Starting with 10.12 the situation is likely to be completely different, and you indeed might not need any extra software.

    This assumes you have a working smartcard reader, such as SCM 3110, or Gemalto Dual Prox. More readers nowadays are likelier to work, rather than not.

    The software you need includes:
    – tokend, available from Open Source (I recommend https://github.com/mouse07410/OpenSC.tokend.git) or commercial vendors (Thursby PKard has very good reputation among the users);
    – lower-level PKCS#11 components (may not be necessary) – I recommend https://github.com/mouse07410/OpenSC.git or https://github.com/OpenSC/OpenSC.git.

    Once these packages are installed, you need to configure the system:

    1. Using CLI, add root CA (and it appears that Intermediate CAs too if they are involved) to System.keychain, like “sudo security add-trusted-cert -d -k ‘/System/Keychains/System.keychain’ path_to_your_CA_cert”

    2. Insert your smartcard, and open Keychain Access. You should see your smartcard as another keychain. If not – troubleshoot until you do.

    3. “sc_auth hash” – locate and copy “PIV Auth” certificate hash

    4. “sudo sc_auth accept -u your_user_name -h hash_from_above”

    5. “sc_auth list -u your_user_name” should show that same hash.

    6. “sudo security authorizationdb smartcard enable”

    7. “sudo security authorizationdb smartcard status” should show that smartcard is enabled for authentication.

    You’re done – now you can login with your CAC/PIV card in addition to name/password.

    You may be able to configure the machine to enable *only* smartcard login, but I don’t know how (or if it is indeed possible).

  • Justin Kase
    Posted at 13:09h, 27 September Reply

    Much easier solution!!
    I have El Capitan 10.11.6 and login without problems with my PIV.
    Here is what you do:
    1. Go to: http://rescue.vpn.va.gov/ and login
    2. On the left side menu go to Citrix(CAG) and select ‘Media’.
    3. Scroll down to the ‘Citrix Software’ and download the Mac OS X 10.11 – CAG OE Remote Bundle Package.
    4. Also download the Citrix Documentation > CAG OE Macintosh’s User Guide

    Follow the instructions and enjoy. You do have to set up your security certificates but the documentation walks you through each step. It took 10 minutes to setup and has been working well for me. I am using the standard PIV card reader from the VA, nothing fancy. And the bundle has all the middleware you need.

  • John
    Posted at 14:45h, 07 July Reply

    I just wanted to say thank you for putting this information together. I have tried just about everything including the bundle packages with know luck. However, the thursby software generated certificates that worked for authentication with CAG access via safari. This was quite a journey to set up. But I hope well worth it.

Post A Comment