Diagnosing smart card log in problems

Two general methods for diagnosing smart card log in problems are provided:

  • By using the sctool utility as described in Using sctool
  • By performing the diagnostic procedures described in this section.

The following procedures are intended to diagnose multiple causes of smart card log in failure. It is recommended that you retest smart card login at regular intervals (such as after each step) as you perform this procedure.

  1. Ensure that the Mac computer is able to recognize the smart card. To do so, open Keychain Access and insert the smart card into the reader. The card should appear in the Keychain Access window as another Keychain with its certificates loaded.

    If the smart card does not appear in the Keychain window:

    1. Ensure that the firmware of the smart card reader has been updated to the latest version.

    2. Ensure that no other conflicting smart card drivers have been installed. Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service ships with CAC, CACNG, PIV, and BELPIC drivers by default. Other drivers, such as Gemalto, are incompatible with some cards. Check /var/log/system.log to see if non-default (and possibly incompatible) drivers were installed. Log entries for smart card drivers appear similar to the following:

      reader SCM SCR inserted token "First.Last.100xxxx" subservice 12 using driver com.gemalto.tokend

      If non-default drivers are present, locate them in /System/Library/Security/tokend and use the sudo mv command to remove them.

  2. If the card is visible in Keychain Access, select Certificates under Category in the Keychain Access window and verify that the certificate trust chains for each certificate are valid all the way up the chains.

  3. If a PIN prompt does not appear when the smart card is inserted, go to Smart card PIN prompt does not display and perform the procedure described there. When you are done, return to this procedure if you need to continue to diagnose smart card problems.

  4. Ensure that there are no remaining objects from previous smart card insertions by clearing out the smart card token cache. To do so, log in as the local Administrator and execute the following command in a terminal window:

    sudo rm -rf /var/db/TokenCache/tokens/* 
  5. Online Certificate Status Protocol (OCSP) in Mac can cause unexpected behavior in some environments. Disable OCSP by executing the following command in a terminal window:

    sudo sctool -r -t ocsp:none -t crl:best -p crl
  6. If logins still fail with OCSP disabled, set Certificate Revocation List (CRL) to Off as described in Smart card PIN prompt does not display.

    If the PIN prompt appears when CRL checking is Off, but not when set to Best Attempt, the CRL in the environment has expired. Update to a valid CRL and set CRL checking back to Best Attempt.

  7. The Mac login window display mode can produce different behaviors with smart card logins, especially between different versions of Mac OS X 10.7.x.

    To check for this issue, go to System Preferences > Users & Groups > Login Options > Display login window as. Try each of the following options to see if either allows the PIN prompt to display:

    • List of users

    • Name and password

  8. Insert the smart card and execute the following command in a terminal window:

    sctool -D

    This command lists all the certificates present on the smart card and how their attributes match against Active Directory

    1. Ignore any certificate that displays This certificate cannot be used for pkinit, as such certificates are not applicable for system logins.

    2. Make sure that the user for the applicable certificate can be found in Active Directory through the user’s principal name, and that the user has been authorized for logging in to the Zone.

    3. If the message Cannot locate NT principal name in AD is displayed for a certificate that can be used for pkinit, make sure the user has been configured correctly in Active Directory Users and Computers.

    4. Make sure that the UPN and alternate UPN of the Active Directory account have been configured correctly in Active Directory Users and Computers.

    5. If the UPN on the smart card is something other than mil, make sure that the adclient.altupns parameter in /etc/centrifydc/centrifydc.conf has been configured accordingly. For example, if the UPN on the smart card is 111111@mysmartcard.local, the parameter should be configured as adclient.altupns: mysmartcard.local. This parameter can also be set through the group policy Computer Configuration > Policies > Centrify Settings > DirectControl Settings > Add centrifydc.conf properties.

    6. In Active Directory Users and Computers, expand DomainName > Users. In the list of users, right-click the user who is attempting to log in, and select Properties. Select the Account tab in the Properties dialog and verify that the name in the User logon name field matches the NT Principal Name on the smart card.

  9. If the preceding steps have been verified and smart card logins still fail, there might be a compatibility issue between the smart card and the Mac OS itself. See the following Security Notes from Apple detailing the smart card compatibility fixes as of Mac OS X 10.9 Mavericks:

    https://support.apple.com/en-us/HT202854 (Security - Smart Card Services)

  10. If necessary, contact Centrify Support and provide the information described in Collecting information specific to smart card log in failure.