Troubleshooting PKard for Mac

CAC access to secure web sites for Mac OS
Post Reply
michaelwolfe
Posts: 316
Joined: Fri Feb 17, 2012 11:49 am

Troubleshooting PKard for Mac

Post by michaelwolfe » Wed May 27, 2015 2:20 pm

The great thing about forums is that they can be a great source of information. The problem is that you can be easily overwhelmed, or not sure where to begin. The purpose of this forum post is to filter out some of the more common issues that we address daily.

1. The PKard Assistant doesn't see my CAC card, Keychain Access doesn't show my CAC card.

If you have used any other CAC enabled programs then we suggest that you remove them from your Mac. PKard, in most cases, should be able to disable most of the popular CAC apps, but that may not always be the case. MilitaryCAC.com has instructions on how to remove the apps from your Mac, which can be found here.

One of the common issue we have seen with Yosemite is that its PCSC service doesn't always want to function properly. The Mac OS uses PCSC in order to communicate with your CAC reader. When PCSC isn't functioning, PKard doesn't know to start up when you put your CAC in the reader. In most cases, disconnecting your reader and restarting your Mac should get it to work again. To start the PKard Assistant, you can manually launch it by clicking Go on the Menu bar, then select Go to Folder and type in /Library/Application Support/PKard.

2. Safari won't let me choose a different certificate.

Anytime you access a website that requires a CAC certificate, Safari will create an Identity Preference in your Keychain so when you return to the site you should only have to enter a PIN number. On occasion, Safari may have trouble with these preferences and must be removed from your Keychain in order for Safari to create a new one. Additionally, if you chose the wrong certificate then you will need to remove the preference in order to choose a different cert. Please quit out of Safari and follow the directions in this forum entry on how to delete the preferences.

http://www.thursby.com/forum/viewtopic.php?f=11&t=318

3. F5 Big IP page with Enterprise Email.

Since November of 2014, the Army Enterprise Email servers have been quite problematic. The error message details will determine which steps you will need to take in order to resolve the issue. If you see a message stating "Access was denied by the access policy" then you had chosen the wrong certificate and will need to choose another cert. Follow the steps on removing Identity Preferences from suggestion 2 and choose another certificate.

If the error message states that you are already logged in within another tab or window then the issue is most likely with a cookie for the site. In Safari, open Safari Preferences > click the Privacy tab > click Remove Website data > Quit and reopen Safari. Doing this should clear out everything in your web browser and any cookies that the Enterprise servers maybe using to determine if you are already logged in; on a few occasions it took a restart of the Mac.

4. Which certificate do I need to choose?

Apple's Keychain doesn't know the names of the certificates that you may be used to seeing. Instead, it labels them with the server that it was issued from; such as DOD CA-## or DOD EMAIL CA-##. There are 3 different certificates that you should ever need to choose; Identity, Email Signing, PIV Authentication. If you are supposed to use a regular DOD or Identity certificate for the website then you will choose the very first certificate in the list; which should say something like DOD CA-30. Sites like your webmail where you need to choose the Email cert, or your PIV cert, you will use the first DOD EMAIL cert in the list for Email Signing; PIV users will use the second DOD CA-## cert in the list.

5. Logging into DTS, infinite "Reading Credentials" wheel, and Error code 305.

DTS uses another application called DBSign for its authentication agent. This is a Java based app and your Mac must have the current version of Java installed in order for it to run. The first sign indicating that you have an issue with Java is when the Reading Credentials wheel never progresses. What happened is the website made a call to authenticate the user, but the application couldn't launch because you don't have Java installed or active in your browser. Below you can find links to download Java, as well as a link to test that Java is working with your browser. **NOTE** Java isn't supported in Chrome, we suggest that you make sure you are using Safari.

https://java.com/en/download/ <== Download Java
http://java.com/testjava <== Test Java

Once Java is installed and working you will need to try to log into DTS, which will fail with Error code 305. Error code 305 is actually an error with the DBSign app and the solution to fixing this problem is to allow Java to run in unsafe mode, which is a setting in Safari:

- Open Safari Preferences
- Click the Security Tab
- Click plug-in settings next Internet Plug-ins
- Click Java in the side bar
- Make sure there is a check in Java
- Make sure Java is turn on in the drop down menu in the lower right corner
- Locate dtsproweb.defensetravel.osd.mil and make sure the drop down menu says "on"
- Hold the option Key on your keyboard, click the dropdown menu and select "Run in safe mode" to turn off safe mode
- Click trust
- Exit Safari Preferences
- Click Retry Login on the DTS page

Your next log in attempt should present to you a couple of boxes to allow an app to launch and continue. The final pop-up you should see will be the credential selection box. The first credential in the list should get you logged into the site.

6. NROWS/AROWS says that I need to use a specific browser.

These sites have a check in place to make sure you are coming from a supported web browser. Both Safari and Google Chrome have methods you may use to workaround this limitation. You can find our write up on how to change Chrome's UA in this forum entry.

To change the User Agent within Safari:

- Open Safari Preferences
- Click the Advanced tab
- Enable "Show develop in the menu bar"
- Close Safari Preferences
- Click Develop on the menu bar
- Hover over User Agent
- Choose Firefox for Windows

Now here is where things can get tricky. Safari will only change the user agent for the current active tab. Therefore, in order to log into NROWS/AROWS you will either need to use the bookmark we placed in the PKard folder, or type the address directly into the browser: https://nrows.sscno.nmci.navy.mil/nrows ... /login.jsp or https://arows.sscno.nmci.navy.mil/arows ... /login.jsp.


I hope these suggestions were able to get you logged into your sites. As always, if you continue to have trouble with logging into a site or getting PKard to work for you, please email us: support@thursby.com.

-Michael

mjruss
Posts: 5
Joined: Fri Sep 18, 2015 8:47 am

Re: Troubleshooting PKard for Mac

Post by mjruss » Fri Sep 18, 2015 8:52 am

Above you wrote:

One of the common issue we have seen with Yosemite is that its PCSC service doesn't always want to function properly. The Mac OS uses PCSC in order to communicate with your CAC reader. When PCSC isn't functioning, PKard doesn't know to start up when you put your CAC in the reader. In most cases, disconnecting your reader and restarting your Mac should get it to work again. To start the PKard Assistant, you can manually launch it by clicking Go on the Menu bar, then select Go to Folder and type in /Library/Application Support/PKard.

This seems to be the problem I am having on a regular basis. The restart solution, however, is not always viable. Right now, for example, I have two processes running that I cannot interrupt by a restart. I was hoping to go online and do some work that required my CAC, but right now the system is not recognizing my card (the reader is seen just fine).

Is there a way without restarting to get "PCSC" started? (I also cannot log out and back in.)

michaelwolfe
Posts: 316
Joined: Fri Feb 17, 2012 11:49 am

Re: Troubleshooting PKard for Mac

Post by michaelwolfe » Fri Sep 18, 2015 9:28 am

mjruss,

Unfortunately, restarting your Mac is the easiest, and best way to fix pcscd.

Are you also experiencing log out/in issues?

-Michael

hbakken
Posts: 1
Joined: Mon Feb 27, 2017 6:30 pm

Re: Troubleshooting PKard for Mac

Post by hbakken » Mon Feb 27, 2017 6:34 pm

RE : Suggestions 2 and 3 above, I got a new CAC today and was able to log in to the AKO site but NOT enterprise e-mail (which requires the email certificate). I was getting F5 Big IP errors. I followed the directions in suggestion 2 and it worked! Thanks all!

Slackyhacky
Posts: 5
Joined: Mon Mar 20, 2017 9:04 pm

Re: Troubleshooting PKard for Mac

Post by Slackyhacky » Wed Mar 29, 2017 12:49 am

"2. Safari won't let me choose a different certificate."

I followed the instructions - didn't work.

In my keychain access - with my CAC selected in the Keychain part, and My Certificates selected in the Category box, I only have one certificate listed (DoD-42). Shouldn't I have a at least 2 more listed?

They are listed in under login and all items, but not under My Certificates. Is this the issue?

michaelwolfe
Posts: 316
Joined: Fri Feb 17, 2012 11:49 am

Re: Troubleshooting PKard for Mac

Post by michaelwolfe » Wed Mar 29, 2017 1:47 pm

Slackyhacky wrote:"2. Safari won't let me choose a different certificate."

I followed the instructions - didn't work.

In my keychain access - with my CAC selected in the Keychain part, and My Certificates selected in the Category box, I only have one certificate listed (DoD-42). Shouldn't I have a at least 2 more listed?

They are listed in under login and all items, but not under My Certificates. Is this the issue?
Slackyhacky,

You should see 6 items listed if you are looking at your CAC. Prior to PKard, did you try using any other CAC enabling applications? If so, please go to militarycac.com/macuninstall.htm for the instructions on how to remove the other CAC enablers. We recommend that you remove your card from the reader prior to removing the other software.


Michael

Slackyhacky
Posts: 5
Joined: Mon Mar 20, 2017 9:04 pm

Re: Troubleshooting PKard for Mac

Post by Slackyhacky » Tue Apr 04, 2017 2:27 am

Michael,

I did install another enabler - but deleted them (as per the instructions on militarycac.com) before installing PKard. See my screen capture.

Any thoughts on how to move forward?

Image

Image

michaelwolfe
Posts: 316
Joined: Fri Feb 17, 2012 11:49 am

Re: Troubleshooting PKard for Mac

Post by michaelwolfe » Tue Apr 04, 2017 7:47 am

Slackyhacky,

You may be running into an issue with cached data that was created by one of the other enablers. The easiest way to remove that data is to run the following Terminal commands:

- Remove your card from the reader
- Launch the Terminal from your Utilities folder

sudo zsh
(Enter your computer password when prompted. The field will not show any character input)
cd /var/db/TokenCache/tokens
rm -rf com.*

- Insert your card into the reader
- Try logging into a CAC website

If you continue to have trouble, please contact our support group by calling +1 817-478-5070 or emailing support@thursby.com


Michael

Slackyhacky
Posts: 5
Joined: Mon Mar 20, 2017 9:04 pm

Re: Troubleshooting PKard for Mac

Post by Slackyhacky » Tue Apr 04, 2017 3:10 pm

Michael,

Thanks for the help. I gave it a try - still only having one certificate coming up (non-email one). I really need to be able to choose the email certificate for a couple of key websites.

I'll give support a call.

Post Reply