No access to any CAC websites

CAC access to secure web sites for Mac OS
David Mattes
Posts: 37
Joined: Fri Nov 11, 2016 11:24 am

Re: No access to any CAC websites

Post by David Mattes » Tue Nov 20, 2018 12:36 pm

yellow55,

If you click on your card (Represented by your name and part of your DOD ID) on the left-hand side of Keychain Access. How many certs do you see with your CAC card? There should be anywhere from 6-7 certs. If you click on the first available cert (single click) there will be some information displayed at the top of the screen. Do you see where it says in green that "This certificate is valid" or does it same something in red that says "This certificate is untrusted"?

-David

wdallison
Posts: 3
Joined: Wed Jan 09, 2019 6:04 pm

Re: No access to any CAC websites

Post by wdallison » Wed Jan 09, 2019 6:35 pm

I’ve followed all your instructions re loading DoD certs, ensuring certs on my CAC are trusted and removed tokens thru terminal and still get the following error in Chrome when I try to access Joint Staff OWA, DFAS MyPay, NPC BOL:

ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED

Running El Capitan version 10.11.6 on iMac early 2009
Running Chrome version 71.0.3578.98
CAC Oberthur 128 v5.5a
CAC Reader OMNIKEY Version 3.02

Worked fine until new CAC issued 28 Dec 18. I’d appreciate any suggestions you might have.

michaelwolfe
Posts: 347
Joined: Fri Feb 17, 2012 11:49 am

Re: No access to any CAC websites

Post by michaelwolfe » Thu Jan 10, 2019 8:52 am

wdallison,

If you have received a new CAC, then you will want to delete the cached data from your previous CAC. With your CAC out of the reader, open the Terminal (/Applications/Utilities), then paste in the following commands:

sudo zsh

cd /var/db/TokenCache/tokens/

rm -rf com.*

The first command is going to give you administrative permissions in the Terminal. Pressing enter will prompt you to enter your computer password. The password field will remain blank as you type, just press enter when you have finished. The second command is going to Change Directory (cd) to the tokens directory. The third command removes any file in that directory with "com." in the name. Successful entry of these commands will not output anything, but simply bring you to a new command line.

Once you have completed this step, quit the Terminal, insert your CAC into the reader, open Keychain Access and confirm that you see your CAC. Now quit and reopen Chrome and attempt to log into a web site.

Here is an example of those commands ran on my Mac. I ran a couple of list commands (ls -lah) to show what my 'tokens' folder looked like before and after I ran the command to delete the files.

Code: Select all

michaels-imac:~ michael$ sudo zsh
Password:
michaels-imac# cd /var/db/TokenCache/tokens 
michaels-imac# ls -lah     
total 0
drwx--x--x  10 root  wheel   340B Dec 17 16:51 .
drwx--x--x   4 root  wheel   136B Jul 26 08:45 ..
drwx--x--x   6 root  wheel   204B Oct 31 13:17 com.thursby.tokend.pkard:4956-2032-2E33-2E32-2063
drwx--x--x   6 root  wheel   204B Dec 11 14:42 com.thursby.tokend.pkard:6561-6E20-5061-6E65-6B20
drwx--x--x   6 root  wheel   204B Oct 16 13:19 com.thursby.tokend.pkard:6963-6861-656C-2057-6F6C
drwx--x--x   6 root  wheel   204B Nov  2 09:19 com.thursby.tokend.pkard:696D-204B-696C-6C69-6F6E
drwx--x--x   6 root  wheel   204B Dec  4 09:20 com.thursby.tokend.pkard:6F65-2041-6972-2046-6F72
drwx--x--x   6 root  wheel   204B Oct 31 13:16 com.thursby.tokend.pkard:CAC-2050-5000-1028-0004-7203 00002173
drwx--x--x   6 root  wheel   204B Dec 12 11:55 com.thursby.tokend.pkard:CAC-4790-5043-5037-9800-D05F 00011466
drwx--x--x   6 root  wheel   204B Dec 17 16:51 com.thursby.tokend.pkard:CAC-4820-502B-1029-0915-8629 00011399
michaels-imac# rm -rf com.*
michaels-imac# ls -lah
total 0
drwx--x--x  2 root  wheel    68B Jan 10 07:49 .
drwx--x--x  4 root  wheel   136B Jul 26 08:45 ..
michaels-imac# 
- Michael

wdallison
Posts: 3
Joined: Wed Jan 09, 2019 6:04 pm

Re: No access to any CAC websites

Post by wdallison » Thu Jan 10, 2019 9:21 pm

Michael

Deleted cached data from my previous CAC as directed in your reply. Went back into Chrome and attempted to access MyPay and JS OWA; regret no change. Still get the same error message. Any other suggestions would be greatly appreciated.

michaelwolfe
Posts: 347
Joined: Fri Feb 17, 2012 11:49 am

Re: No access to any CAC websites

Post by michaelwolfe » Fri Jan 11, 2019 8:45 am

Wdallison,

Were you prompted to choose a certificate? If not, make sure you Quit Chrome, and then reopen the app. Your CAC needs to be in the reader prior to launching Google Chrome, or else it won't know to use it. Subsequently, if you ever remove your CAC while Chrome is open, you will need to quit and relaunch Chrome after you have returned the your CAC to the reader.


- Michael

wdallison
Posts: 3
Joined: Wed Jan 09, 2019 6:04 pm

Re: No access to any CAC websites

Post by wdallison » Sat Jan 12, 2019 8:08 pm

Certificate prompted and selected for both sites. No difference...still receive the same error.

michaelwolfe
Posts: 347
Joined: Fri Feb 17, 2012 11:49 am

Re: No access to any CAC websites

Post by michaelwolfe » Mon Jan 14, 2019 9:02 am

wdallison,

I have sent you an email from our Support Database in order to better assist you with this issue. Please look for an email from support@thursby.com in your Inbox or Spam folder.


- Michael

spookyjrg
Posts: 1
Joined: Wed May 01, 2019 8:36 pm

Re: No access to any CAC websites

Post by spookyjrg » Wed May 01, 2019 8:54 pm

I am encountering a similar issue as wdallison.
I'm currently unable to access any CAC website (primaries are AF Portal, DTS, MyPay)

When I try to access CAC enabled websites via Chrome I get:

ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED

I'm encountering similar issues via Safari:

....POSIX error ~9858.... (NSPOSICErrorDomain: ~9858)

I've tried all of the tips and tricks listed in this thread to no avail (disabling imbedded CAC reader software, clearing identity preferences, clearing browser & token caches, etc.).

Am using macOS Mojave version 10.14.3, CACkey. No antivirus software running that I'm aware of, though I do have clean my mac & carbonite running in the background.

Any help is much appreciated!

kim
Posts: 47
Joined: Fri Apr 29, 2016 10:22 am

Re: No access to any CAC websites

Post by kim » Fri May 03, 2019 2:10 pm

spookyjrg wrote:
Wed May 01, 2019 8:54 pm
I am encountering a similar issue as wdallison.
I'm currently unable to access any CAC website (primaries are AF Portal, DTS, MyPay)

When I try to access CAC enabled websites via Chrome I get:

ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED

I'm encountering similar issues via Safari:

....POSIX error ~9858.... (NSPOSICErrorDomain: ~9858)

I've tried all of the tips and tricks listed in this thread to no avail (disabling imbedded CAC reader software, clearing identity preferences, clearing browser & token caches, etc.).

Am using macOS Mojave version 10.14.3, CACkey. No antivirus software running that I'm aware of, though I do have clean my mac & carbonite running in the background.

Any help is much appreciated!
This issue is being handled through the Thursby Support database. I will update this post once a resolution has been made.

Post Reply