Troubleshooting your PIV Smartcard and card reader
There are times your smartcard either refuses to work or lets you into one function but not another (e.g., you can unlock the screensaver but nothing else). This page is an effort to help you isolate the cause of the problem.
The card reader and badge dance
Most of you are probably already familiar with this dance, where you should try:
- Reinserting the badge (sometimes a strong insertion is needed)
- Trying the card reader in another USB port on the computer
- Cleaning the badge chip with a pencil eraser (yes, really!)
By the way, it is a good idea to get to know the normal pattern of your card reader when it is functioning: Does it flash quickly when reading the card and then go constant? Turn off? Knowing that will help when abnormal behavior is observed.
Logging in to the computer
FileVault screen/ Login screen
When you first boot a FileVault-encrypted Mac, it is a very low-level process that has not loaded the libraries for handling smart cards (or nearly anything else). So the first screen (with large circle icons for "ASD Admin" and your own account requires your local account password.
If you keep your local password in sync with your NDC password, then you should try that. But we have seen them get out-of-sync, so if your current password is number "N,", please try your previous ones: "N-1", "N-2", etc.
Once you are successful, the internal drive will be unlocked and a standard boot sequence will proceed. After accepting the NASA security banner, this is where you should be prompted for your PIN.
Screensaver
If the Mac refuses to prompt you for your PIN (still says Enter password) and you have reason to believe your badge and reader are fine, then click "Switch User" at the bottom of the screen. This is often sufficient to get the smart card PIV PIN prompt.
Enterprise Connect headaches
Please see this separate document for advice on how to clear up incessant "ecAgent" dialog boxes or other problems with Apple's Enterprise Connect.
Checking your certificates
Smartcard validation failure
There are two pieces elements of your Mac's setup which may be remnants from previously-recommended or -required configurations, but they can now interfere with the proper functioning of your smartcard. In addition, you may need to reinstall the NASA Trust Anchor Management (NTAM) set of security certificates (which show up in System Preferences → Profiles), if your NTAM settings are out-of-date, missing, or incomplete.
- Check whether your machine is still bound to Active Directory. You can do this from the command line with
dsconfigad -show, which will show about 25 lines of output if you are bound to AD and nothing at all if you aren't.
The other way is to look at System Preferences → Users&Groups, click on "Login Options" in the lower left, and see whether it shows "NDC" with a green light (bound to NASA Domain Controller (NDC)) or show a greyed-out "Network account server: Join" (not bound).
Please inform the ASD system team if you are still bound. - Please look in the Utilities folder (under /Applications) for the "ActivID ActivClient Uninstaller." If it is there, and your OS is macOS 10.14 Mojave or higher, please run that uninstaller (if you are an admin on your Mac) or run the same uninstaller from Self Service.app (if you are not an admin).
- To reinstall the latest NTAM, please click this Jamf policy to reinstall NTAM link. (This URL should offer to open Self Service.app for you.)
Smartcard certificate not trusted
The certificates on your badge not only have an expiration date, they have an issue or start date. If your computer's battery runs all the way down, the OS will reset the clock to some definition of "the beginning of time". Recently, we have seen that as January 1, 2019. If your badge's start date is after that, then your badge is not yet valid!
Solution
The fix for this is to reset the clock, of course, but how do you do this when you cannot even log into the system? Recovery Mode. This technique should work, even if you are not an administrator.- Reboot your computer, holding down (⌘-R) immediately upon the reboot sequence starting. You can let go of ⌘-R when the progress bar appears.
- When the main menu comes up (the boot sequence is slow!), choose Terminal from the Utilities menu.
- Type date (and hit Return, like with all UNIX commands). You should see the current date. If is is January 2019, we need to fix it.
- The format of the date command is rather odd: MMDDhhmmYYYY, i.e.,
month-day-hour-minute-year. Thus,
date 032405172020
would reset the clock to March 24, 2020 at 5:17am. - Run date again (no numbers, just the plain command) to make sure things look OK.
- Quit from Terminal.
- Reboot the computer.
- Famous last words, that should fix the timing problems with your badge.
Not sure if your badge or card reader are any good
These tests can be done on your Mac if you are able to log in and from another Mac if you have one available. (Even a personal Mac is OK, as this does not need special software in most cases.)
Testing your card reader
You can test your card reader with pcsctest (provided by Apple in /usr/bin and also on many Linux systems). Run that command and answer "01" when it asks about the first card reader it finds. It will ask you twice, and enter "01" both times. You want to see Command successful multiple times. (Control-C will get you out of this if it's stuck.)
You will want your badge inserted in the card reader for this pcsctest command.
Testing your badge
You can also try reading the card from the command line, using Apple's command-line version of System Profiler (called System Information in recent versions of the OS).
In a Terminal window, type:
system_profiler SPSmartCardsDataType(which will work if /usr/sbin is in your $PATH. You want to look for printed out certificates with valid dates. If you see only 10-15 lines of total output, you have a problem with your card!
Or
You can see the certificates on your card with an application called "TokenShow". To install it, go to Self Service.app and search (upper left) for "tokenshow" and install it. It will show you the current and expired certificates.
Or
The certificates are encoded in something called PEM format. You can download an ASD-developed (python 2.7) script cert_read.py [control-click and "Save Link As"] which makes it far easier to understand the output from the above system_profiler command. Download the command and either make it executable (chmod 755 cert_read.py) or run it with /usr/bin/python cert_read.py.
Other tests you can do
Outlook Web Access
Are you able to log in to the web version of Outlook? Try it here: https://outlook.office365.com. Give your username as <Your_AUID>@ndc.nasa.gov (not your email address).
Testing command-line PIV functionality
Use our PIV instructions (originating from a Mac or Linux computer) to see whether your badge works for that. This can help determine whether your problem is in your badge or in NDC account.
David Friedlander
23 March 2020, 19 Feb 2021