Hello fellow JAMF peoples,
I need some help if you all have a minute. Some of our users where I work (DOD client, all of the 10.8 users in our environment) are experiencing issues with their CAC card login. It's a PKI authentication error. They can log in using their normal credentials, however if they put their CAC card back in the machine upon login they get two typical errors:
NetAuthSysAgent wants to use the "login" keychain
Please enter the keychain password
Kerberos PKINIT: Signed data not verified.
Non-understood extension with Critical flag true.
Signed data from domain controller
Hornickel.dma.pa.mil could not be verified. Please
Make sure your domain controller certificate is valid
And you have installed the necessary trust points.
Choose the Certificates/Trusted Certificate Authorities menu to view your current trust points.
Essentially users can't login with this method, and when putting in their CAC cards they get an error and can't use anything that requires PKI. I attempted pushing out the PKI packages via casper remote, did apple updates and even restarted their machines, but the issue persists. I have no idea how to tackle this issue. Please help?
Based on similar experiences in other government entities, most likely, one of two things is happening:
The proper pieces are missing in the certificates (additional Kerberos PKINIT attributes are required to be in the domain controller certs for Heimdal Kerberos PKINIT to work versus what's built in to AD for Windows PCs). I don't know the exact pieces though.
The certificate chain was not otherwise configured correctly on the domain controllers in such a way that the chain trust is broken as seen by the Mac (sometimes, Windows doesn't verify the chain the same way).