SmartCard pairing and PIN dialogues don't show up

Question

Level 1

7 points

SmartCard pairing and PIN dialogues don't show up

Hi,

as the topic says, the SmartCard pairing and PIN dialogues don't show up on my system. We have configured other Macs with an identical setup and those machines work fine.

We use OpenSC for access to the cards, which works fine.

Firefox and Adobe Reader are able to access the certs on the card without any issues.

The card also works for authentication on the company's Windows machines.

Also, the necessary Root and Intermediate certs are installed in the system keychain (via MDM)

What I've checked/tested so far:

pcsctest - successful
pkcs11-tool --login --test - works
pkcs11-tool --list-objects - works
system_profiler SPSmartCardsDataType - shows all the certs
sc_auth identities - lists identities
sc_auth pairing_ui -s status - enabled
security list-smartcards - lists the smartcard
security smartcards token -l - is empty
Clean install of macOS - issue still exists
Reset SMC - issue still exists

Here's the errors I was able to find:

sc_auth verifypin

Verifying PIN of SmartCard in reader OMNIKEY AG 3121 USB

ERROR: Unable to select card application AID {length = 11, bytes = 0x<OBFUSCATED>}

sc_auth pairing_ui

Hangs

sc_auth pairing_ui -f

Causes ctkbind to throw this message:

No RSA decryption key or ECDH key was found for token: org.opensc-project.mac.opensctoken.OpenSCTokenApp.OpenSCToken:0208c11a000f242a

<Insert the Card>

Console.app shows this error for ctkbind (as above):

No RSA decryption key or ECDH key was found for token: org.opensc-project.mac.opensctoken.OpenSCTokenApp.OpenSCToken

I appreciate any help on this topic.

MacBook Pro 16″, macOS 12.5

Posted on Aug 29, 2022 4:51 AM

Reply

Answer 1

genieen16

Community Specialist

Aug 30, 2022 9:06 AM in response to b.ger

Hello b.ger,

It looks like you have already completed a lot of great steps. Here are a few steps and details offered from Apple about using a smart card in macOS.

Use a smart card in macOS - Apple Support. This page offers a lot of great information including a description of the steps you will see when completing the local pairing process.

Local account pairing

The steps below describe the local account pairing process:

- Insert a PIV smart card or hard token that includes authentication and encryption identities

- Select “Pair” at the notification dialog

- Provide administrator account credentials (user name/password)

- Provide the 4–6 digit Personal Identification Number (PIN) for the inserted smart card

- Log out and use the smart card and PIN to log back in

Local account pairing can also be accomplished with the command-line and an existing account. For more information, see Configure macOS for smart card–only authentication for details regarding this method of pairing.

Also, check out this link which offers commands for viewing and editing specific smart card configuration settings and logs: Advanced smart card options in macOS - Apple Support.

Also, see the following: Intro to smart card integration in macOS - Apple Support. Be sure to look over the section labeled "Authentication" which offers information about setting the PIN.

Authentication

Smart cards can be used for two-factor authentication. The two factors include “something-you-have” (the card) and “something-you-know” (the PIN) to unlock the card. macOS 10.12.4 or later includes native support for smart card and login authentication, and client certificate-based authentication to websites using Safari. macOS also supports Kerberos authentication using key pairs (PKINIT) for Single sign-on to Kerberos-supported services.

Note: Make sure the smart card is properly provisioned with both a certificate authorization and a key for encryption, if used for system login. The encryption key is used to wrap the keychain password; lack of an encryption key causes repeated keychain prompts.

We hope this information help get you pointed in the right direction.

Cheers!

Reply

SmartCard pairing and PIN dialogues don't show up

Similar questions