Buy SCM SCR3310 Card Reader with fast shipping.
Scm Microsystems Scr3310 Drivers Can EndThé drivers can end up being utilized for SCR531 USB, SCR331 CCID, SCR333, SCR335 and SCR3310. SCR331 users note that only readers that have got CCID firmware are supported. Visitors that have firmware Rev 2.0 and above are usually CCID. This driver may furthermore be utilized with the using third party items: Goldtouch ErgoSecure SC 2.0 key pad, Datakey DKR830.SCM's SCR3310 and SCR3310v2.0 are small and ergonomic USB smart card readers, with backside mounting holes. SCM SCR3310 v2.0 Scarica SMART card reader USB overview and full product specs on CNET.Long story short: It works to get past the VPN gateway but throws the same “no valid certificates found” error when trying to login to the Windows desktop via a Citrix Receiver client. I just had a chance to test the new Yosemite 10.10 compatible free SmartCard utility from Centrfy mentioned here. If this is bothering or interesting you, you may want to monitor this URL: The bulk of this post concerns the $29 Pkard product from Thursby which is the first I found with explicit OS X 10.10 support. Hope it helps!There is an active Citrix support thread on the “no valid certificates found” issue. Using PIV smart cards for HHS VPN login with Mac OS X 10.10 YosemiteNote: This entire post is basically google search bait designed to (hopefully) allow others struggling with the same issues to save a bit of time.As of the time I wrote this article, the state of freely available open source software for PIV smart card support on Yosemite is pretty lacking. Short SummaryI need to use a HHS PIV card to remotely access computer systems from a brand new Macbook air running OS X 10.10 Yosemite. Still – consider the Centrify software if you don’t want to spend $29.The way I connect is via a federal standard PIV Card which is a very cool physical badge that doubles as a holder of biometric and personal crypto certificate information. BackgroundI do some subcontracting work for a few US Government agencies, one of which requires me to be able to connect remotely to US.GOV networks and infrastructure. This was not something I needed to do on OS X 10.7 or 10.7 with the open source smart card software stack. It did, however work fast and got me successfully logged onto the remote VPN server.Current status: Thursby PKard software works well on Yosemite for VPN access but the Windows desktop I get sent to via a Citrix client reports “no valid certificates” and I’m forced to use my standard user login name and password to complete the final authentication. Belkin flexible USB adapter – Amazon Link: SCM SCR3500 Smart Card Reader – Amazon Link: A perfect example of this is and – the site that I turned to first when looking for OS X Yosemite PIV/smartcard status info. It’s a very slick and interesting system.From what I can tell, PIV cards are very similar to the CAC cards carried by military members that are often required for secure web browsing and access to military resources In fact, when searching the internet for PIV assistance you will find that some of the best help resources are coming from the military CAC-user community. Two-factor authentication is achieved by having to punch in a PIN code when my certs are presented to the remote system. I’ll just show this OS X window which is the system prompt you get when your certificate is being used and the host OS wants to verify your PIN code as part of the two-factor authentication process.If you see this, this is your PIN entry prompt and it means that stuff is generally working:Remember that this is where your PIN goes, ignore the system text about “keychain password” … Minor IssueUsing the steps outlined above I can successfully authenticate to the remote access environment I need to use on a daily basis. This should be all you need to access or login to PIV-enabled websites.I removed screenshots showing the portal site I was logging into out of paranoia so I can’t show examples of successful logins. In my case I needed the US GOV Health and Human Services (HHS) intermediate certificates and the best online resource I found for HHS certificates needed for PIV cards is actually over on a NIH hosted site:I downloaded and installed the “HHS Entrust FPKI Certificate Chain” from the above website:Installing the certificates results in a chain of trust that culminates with your personal PIV certificates being recognizes as trusted:At this point you have a recognized USB card reader, your personal PIV certificates are visible to Mac OS X and the trust chain is complete. Keychain Assistant helpfully throws up the red text saying: “ This certificate was signed by an unknown authority”OS X Yosemite does not “trust” the Certificate Authorities that signed my PIV card certificates.The solution is to go out and install the intermediate certificates necessary to build the full lenght trust chain.The source of trust chain certificates almost certainly depends on what agency you work for or are trying to access. If your USB reader and the PKard software are working, Yosemite 10.10 can now “see” the crypto info stored on the PIV cardFix the Trust Chain (If your PIV certificate is not trusted)This may not be an issue for an upgraded system but on my brand new laptop my host OS was missing the intermediate certificate trust chain. Unfortunately, without extra software it would not be possible, as Apple does not ship middleware necessary to interface between the smartcard and the OS and applications such as Keychain Access. Will update this post as needed.Probably a bit late to reply, but yes – smartcard login on a Mac without AD integration is simpler than with AD. I was willing to pay $29.99 for the functionality I needed and the software and documentation is great but I’m not going to shell out $179 for SSO access to a Windows Desktop.I’m going to keep researching this and will keep an eye on the state of open source / free smart card services for Yosemite 10.10. I’m not sure if it’s a Citrix Receiver issue or perhaps this is a designed-in behavior of the Thursday software designed to upsell software that offers more functionality. Not optimal but it works for my purposes.Longer term I want this issue to go away. After getting past the VPN, the remote desktop session can’t see my PIV certificate and I have to fallback to using standard AD username and password. Once these packages are installed, you need to configure the system:1. More readers nowadays are likelier to work, rather than not.– tokend, available from Open Source (I recommend ) or commercial vendors (Thursby PKard has very good reputation among the users) – lower-level PKCS#11 components (may not be necessary) – I recommend or. Starting with 10.12 the situation is likely to be completely different, and you indeed might not need any extra software.This assumes you have a working smartcard reader, such as SCM 3110, or Gemalto Dual Prox. “sc_auth hash” – locate and copy “PIV Auth” certificate hash4. If not – troubleshoot until you do.3. You should see your smartcard as another keychain. Insert your smartcard, and open Keychain Access. Brothers control center 3 for mac“sudo security authorizationdb smartcard status” should show that smartcard is enabled for authentication.You’re done – now you can login with your CAC/PIV card in addition to name/password.You may be able to configure the machine to enable *only* smartcard login, but I don’t know how (or if it is indeed possible). “sudo security authorizationdb smartcard enable”7. “sc_auth list -u your_user_name” should show that same hash.6.
0 Comments
Leave a Reply. |
AuthorJames ArchivesCategories |