• Firefox Use Smart Card
• How To Access Firefox Browser
• Configure Firefox For Smart Card Access Mac Free
• Configure Firefox For Smart Card Access Mac Computer
• Firefox Configure Proxy

Configure Firefox for use with Smart Card (Windows) Configure Firefox for use with Smart Card (Mac OS X) How do I digitally sign documents? Adobe Documents. Configure Adobe Acrobat / Reader for use with Smart Cards; How do I send/receive encrypted and digitally sign email? Smart Card Apple Mail Configuration and Users Guide.

1. Access Gateway Configuration. Complete the following to configure Access Gateway: The Access Gateway virtual server must have all necessary CA certificates bound as CA certificates. In case the certificate for the Smart Card has an intermediate authority, both the intermediate and root must be bound separately as CA certificates.
2. Oct 10, 2016.
3. To verify that your virtual smart card configuration and certificate enrollment were successful, sign out of your current session, and then sign in. When you sign in, you will see the icon for the new TPM virtual smart card on the Secure Desktop (sign in) screen or you will be automatically directed to the TPM smart card sign-in dialog box.

NOTE:

Between mid October 2019 and mid February 2020 everyone in the Army was migrated to use their PIV Authentication certificate for Email access. You no longer use the Email certificate for Enterprise Email.

Mac users who choose to upgrade (or already have upgraded) to Mac OS Catalina (10.15.x) will need to uninstall all 3rd Party CAC enablers per https://militarycac.com/macuninstall.htm AND reenable the built in smart card ability (very bottom of macuninstall link above)

If you purchased your Mac with OS Catalina (10.15.x) already installed, you can skip the uninstall part above and follow the instructions below.

6 'high level' steps needed, follow down the page to make this a painless systematic process

1.	Is your CAC reader 'Mac friendly'?
2.	Can your Mac 'see' the reader?
3.	Verify which version of Mac OS you have
4.	Figure out which CAC (ID card) you have
5.	Install the DoD certificates
5a.	Additional DoD certificate installation instructions for Firefox users
6.	Decide which CAC enabler you want to use (except for 10.12-.15)

Firefox Use Smart Card

Step 1: Is your CAC reader Mac friendly?

Visit the USB Readers page to verify the CAC reader you have is Mac friendly.

Visit the USB-C Readers page to verify the CAC reader you have is Mac friendly.

'Some, not all' CAC readers may need to have a driver installed to make it work.

NOTE: Readers such as: SCR-331 & SCR-3500A may need a firmware update (NO OTHER Readers need firmware updates).

Information about these specific readers are in Step 2

Step 2: Can your Mac 'see' the reader?

Plug the CAC reader into an open USB port before proceeding, give it a few moments to install

Step 2a: Click the Apple Icon in the upper left corner of the desktop, select 'About This Mac'

Step 2b: Click 'System Report...' (button)

Step 2c: Verify the CAC reader shows in Hardware, USB, under USB Device Tree. Different readers will show differently, most readers have no problem in this step. See Step 2c1 for specific reader issues.

How To Access Firefox Browser

Step 2c1: Verify firmware version on your SCR-331 or GSR-202, 202V, 203 CAC, or SCR-3500a reader. If you have a reader other than these 5, Proceed directly to step 3

Step 2c1a-SCR-331 reader

If your reader does not look like this, go to the next step.

In the 'Hardware' drop down, click 'USB.' On the right side of the screen under 'USB Device Tree' the window will display all hardware plugged into the USB ports on your Mac. Look for “SCRx31 USB Smart Card Reader.” If the Smart Card reader is present, look at 'Version' in the lower right corner of this box: If you have a number below 5.18, you need to update your firmware to 5.25. If you are already at 5.18 or 5.25, your reader is installed on your system, and no further hardware changes are required. You can now Quit System Profiler and continue to Step 3.

Step 2c1b-SCR-3500A reader

If you have the SCR3500A P/N:905430-1 CAC reader,you may need to install this driver, as the one that installs automatically will not work on most Macs. Hold the control key [on your keyboard] when clicking the .pkg file [with your mouse], select [the word] Open

Step 3: Verify which version of MacOS do you have?

(You need to know this information for step 6)

Step 3a: Click the Apple Icon in the upper left corner of your desktop and select 'About This Mac'

Step 3b: Look below Mac OS X for: Example: Version 10.X.X.

Step 4: Figure out which CAC (ID Card) you have

(You need to know this information for step 6)

Look at the top back of your ID card for these card types. If you have any version other than the six shown below, you need to visit an ID card office and have it replaced. All CACs [other than these six] were supposed to be replaced prior to 1 October 2012.

Find out how to flip card over video

Step 5: Install the DoD certificates (for Safari and Chrome Users)

Go to Keychain Access

Click: Go (top of screen), Utilities, double click Keychain Access.app

(You can also type: keychain access using Spotlight (this is my preferred method))

Select login (under Keychains),and All Items (under Category).

Download the 5 files via links below (you may need to <ctrl> click, select Download Linked File As... on each link) Save to your downloads folder

Please know... IF You have any DoD certificates already located in your keychain access, you will need to delete them prior to running the AllCerts.p7b file below.

https://militarycac.com/maccerts/AllCerts.p7b,

https://militarycac.com/maccerts/RootCert2.cer,

https://militarycac.com/maccerts/RootCert3.cer,

https://militarycac.com/maccerts/RootCert4.cer, and

Configure Firefox For Smart Card Access Mac Free

Double click each of the files to install certificates into the login section of keychain

Select the Kind column, verify the arrow is pointing up, scroll down to certificate, look for all of the following certificates:

DOD EMAIL CA-33 through DOD EMAIL CA-34,

DOD EMAIL CA-39 through DOD EMAIL CA-44,

DOD EMAIL CA-49 through DOD EMAIL CA-52,

DOD EMAIL CA-59,

DOD ID CA-33 through DOD ID CA-34,

DOD ID CA-39 through DOD ID CA-44,

DOD ID CA-49 through DOD ID CA-52,

DOD ID CA-59

DOD ID SW CA-35 through DOD ID SW CA-38,

DOD ID SW CA-45 through DOD ID SW CA-48,

DoD Root CA 2 through DoD Root CA 5,

DOD SW CA-53 through DOD SW CA-58, and

DOD SW CA-60 through DOD SW CA-61

NOTE: If you are missing any of the above certificates, you have 2 choices,

1. Delete all of them, and re-run the 5 files above, or

2. Download the allcerts.zip file and install each of the certificates you are missing individually.

Errors:

Error 100001 Solution

Error 100013 Solution

You may notice some of the certificates will have a red circle with a white X . This means your computer does not trust those certificates

You need to manually trust the DoD Root CA 2, 3, 4, & 5 certificates

Double click each of the DoD Root CA certificates, select the triangle next to Trust, in the When using this certificate: select Always Trust, repeat until all 4 do not have the red circle with a white X.

You may be prompted to enter computer password when you close the window

Once you select Always Trust, your icon will have a light blue circle with a white + on it.

The 'bad certs' that have caused problems for Windows users may show up in the keychain access section on some Macs. These need to be deleted / moved to trash.

The DoD Root CA 2 & 3 you are removing has a light blue frame, leave the yellow frame version. The icons may or may not have a red circle with the white x

or	DoD Interoperability Root CA 1 or CA 2	certificate
DoD Root CA 2 or 3 (light blue frame ONLY)	certificate
or	Federal Bridge CA 2016 or 2013	certificate
or	Federal Common Policy CA	certificate
or	or	SHA-1 Federal Root CA G2	certificate
or	US DoD CCEB Interoperability Root CA 1	certificate

If you have tried accessing CAC enabled sites prior to following these instructions, please go through this page before proceeding

Clearing the keychain (opens a new page)

Please come back to this page to continue installation instructions.

Step 5a: DoD certificate installation instructions for Firefox users

NOTE: Firefox will not work on Catalina (10.15.x), or last 4 versions of Mac OS if using the native Apple smartcard ability

Download AllCerts.zip, [remember where you save it].

double click the allcerts.zip file (it'll automatically extract into a new folder)

Option 1 to install the certificates (semi automated):

From inside the AllCerts extracted folder, select all of the certificates

<control> click (or Right click) the selected certificates, select Open With, Other...

In the Enable (selection box), change to All Applications

Select Firefox, then Open

You will see several dozen browser tabs open up, let it open as many as it wants..

You will eventually start seeing either of the 2 messages shown next

If the certificate is not already in Firefox, a window will pop up stating 'You have been asked to trust a new Certificate Authority (CA).'

Check all three boxes to allow the certificate to: identify websites, identify email users, and identify software developers

or

'Alert This certificate is already installed as a certificate authority.' Click OK

Once you've added all of the certificates...
• Click Firefox (word) (upper left of your screen)
• Preferences
• Advanced (tab)
• Press Network under the Advanced Tab
• In the Cached Web Content section, click Clear Now (button).
• Quit Firefox and restart it

Option 2 to install the certificates (very tedious manual):

Click Firefox (word) (upper left of your screen)

Preferences

Advanced (tab on left side of screen)

Certificates (tab)

View Certificates (button)

Authorities (tab)

Import (button)

Browse to the DoD certificates (AllCerts) extracted folder you downloaded and extracted above.

Note: You have to do this step for every single certificate

Note2: If the certificate is already in Firefox, a window will pop up stating: 'Alert This certificate is already installed as a certificate authority (CA).' Click OK

Note3: If the certificate is not already in Firefox, a window will pop up stating 'You have been asked to trust a new Certificate Authority (CA).'

Check all three boxes to allow the certificate to: identify websites, identify email users, and identify software developers

Once you've added all of the certificates...
• Click Firefox (word) (upper left of your screen)
• Preferences
• Advanced (tab)
• Press Network under the Advanced Tab
• In the Cached Web Content section, click Clear Now (button).
• Quit Firefox and restart it

Step 6: Decide which CAC enabler you can / want to use

Only for Mac El Capitan (10.11.x or older)

After installing the CAC enabler, restart the computer and go to a CAC enabled website

Configure Firefox For Smart Card Access Mac Computer

NOTE: Mac OS Sierra (10.12.x), High Sierra (10.13.x), Mojave (10.14.x) or Catalina (10.15.x) computers no longer need a CAC Enabler.

Try to access the CAC enabled site you need to access now

Mac support provided by: Michael Danberry

Applicable Products

• Access Gateway 10

Objective

This article describes how to Integrate Web Interface 5.3 and Access Gateway Enterprise for Pass-through Access.

Requirements

• XenApp and Web Interface servers must be domain members

• XenApp XML service must be running with IIS on the XenApp farm. This is because Kerberos authentication is done by IIS on the Smart Card user’s behalf

• Smart Card middleware is no longer needed to be installed on Web Interface or XenApp servers. This is because this process uses Kerberos for authentication

• Access Gateway Enterprise 9.2 Build 48.6 or later must be used

• Web Interface 5.4 build 51 must be used

• Web Interface must not be installed on a Domain Controller

• XenApp 4.5 and 5.0 have been tested

• XenApp 6.0 requires fix #242752 which is currently available in XA600W2K8R2X64R02, CTX133882 ‑Hotfix Rollup Pack 2 for Citrix XenApp 6 for Microsoft Windows Server 2008 R2 (Included in XenApp 6.5)

• Active Directory domain functional level must be 2003, 2008 or 2008 R2

Instructions

Complete the following procedures accordingly:

Active Directory Configuration

Complete the following steps to configure Active Directory:

1. Configure Delegation for XenApp and Web Interface servers.

   Web Interface must delegate http service to all XML servers.
2. The XenApp server must delegate http and host service to themselves plus host and http service to all XenApp servers. Each XenApp server must also delegate CIFS and LDAP services to the Domain Controllers. Note: The examples of Constrained Delegation, as demonstrated above, are meant to be examples of the minimum configuration required to allow logging on. If a Published Desktop or Published Application uses other resources not on the XenApp server itself (for example, CIFS file shares, SQL, DCOM) additional configuration might be required. Any server hosting that resource must be configured to allow for the XenApp server to access the resource. The correct Service Principal Names (SPN) must be configured for those resources.

Web Interface Configuration

Complete the following steps to configure web interface:

1. Create a Web Interface site with authentication set to at access gateway.
2. The proper Gateway URL must be entered and resolvable from the Web Interface server in addition to Smart Card being selected.
3. Enable smart card pass-through.

4. Reboot the Web Interface.

XenApp Configuration

Complete the following steps to configure XenApp:

Firefox Configure Proxy

1. Set each XenApp server to trust XML requests.

   Note: On XenApp 6.x, this location has changed to the server policy being used.

2. Then, when configuring the Web Interface site, ensure that the XenApp servers are defined with their fully qualified domain name, which itself must be resolvable by Web Interface. The fully qualified domain name MUST match its name in Active Directory. Failing to do this causes Kerberos authentication to fail and an Access Denied error page to appear.

Access Gateway Configuration

Complete the following to configure Access Gateway:

1. The Access Gateway virtual server must have all necessary CA certificates bound as CA certificates. In case the certificate for the Smart Card has an intermediate authority, both the intermediate and root must be bound separately as CA certificates.

2. Configure the Access Gateway virtual server with client certificate optional.

   Otherwise, the callback from Web Interface FAILS.
3. Configure an authentication policy forcing a client certificate to be presented. If this is not configured, anyone will be able to log on.
4. Depending on Active Directory configuration the profile might need to use the Alternate Subject Name on the Smart Card. This would be the case with DoD CAC Smart cards and also cases where there are multiple CN attributes identifying the user. Important! If not using SubjectAltName for the user name field, a Single Sign-On Domain must be configured either on global settings or the session profile.
   The profile does not necessarily have to be configured with group information. However, if configured, Access Gateway performs group extraction based on the criteria chosen for it.

5. The most important configuration on Access Gateway Enterprise is the Single Sign-on (SSO) Domain field within the session profile and global setting. A new knob has been introduced on Access Gateway Enterprise where, if a SSO name is entered, the UPN from the Smart Card certificate is split in half. This is very important to understand, and in case of DoD CAC cards, this field must be left blank from both global settings and the session profile. When the field is left blank, Access Gateway forwards the user name in full UPN.

   • To control this behavior, there is a new shell command (Note: This is shell command and not CLI command). The name of the variable is wi_sso_split_upn. If non-zero and Single Sign-On domain is not set, UPN splits into username and domain during SSO to Web Interface. If zero, UPN is used for SSO to Web Interface.

   • To change the variable value, if necessary, connect using SSH, type shell, and then type nsapimgr –ys wi_sso_split_upn=1. Note: There should be very few situations where it is necessary to change this value from the default value.

   • In summary, there are four possible scenarios:
     - If SSO domain is entered and this variable is default, UPN is split in half.
     - If SSO domain is entered and this variable is changed to anything other than 0, UPN is split in half.
     - If SSO domain is not entered and this variable is default, UPN is used for SSO with Web Interface.
     - If SSO domain is not entered and this variable is changed to anything other than 0, UPN is split in half.

   • The URL for Web Interface in the Session Profile (or Global Settings) must use SSL. This means that a SSL certificate must be properly installed on the Web Interface server.

Issues Seen During Implementation

During implementation of this configuration on a pure Windows 2008 Environment and Citrix XenApp 5.0 a XenApp hotfix had to be installed. The hotfix addressed an issue where upon launching a published application the connection would be terminated and the DNS Client Service on the XenApp server would terminate. The hotfix that addressed this issue is CTX125414 ‑ Hotfix Rollup Pack 1 for Citrix XenApp 5.0 for Microsoft Windows Server 2008 32-bit Edition, XAE500W2K8R01.

• While attempting to launch a published application Web Interface would report “The resource is no longer available” on the web page. This would prevent an ICA file to be created and the server would log on Event Viewer:
  Site path: C:inetpubwwwrootInternalSmartCard.

  The XML document sent by the Citrix servers could not be processed because it contains invalid XML. This message was reported from the XML Service at address http://xa50.repro2k8.net:80/scripts/wpnbr.dll [com.citrix.xml.NFuseProtocol.RequestLaunchRef]. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services. [Unique Log ID: da4f1ad1]

  To correct this issue the Local Computer policy was adjusted to allow logon locally for Domain Users.

• Smart Card implementation for Gemalto Gemplus Smart Cards requires Gemalto “Classic Client” for Firefox integration on a Red Hat system. This software must be purchased from Gemalto and is not freely available

• DoD CAC Smart Cards in a Linux based operating system can be used with the use of a freely available library called “coolkey”. On an Ubuntu operating system the packages added were: libusb-0.1-4, libpcsclite1, libpcsclite-dev, pcscd, and pcsc-tools (the actual command was “sudo apt-get install libusb-0.1-4 libpcsclite1 libpcsclite-dev pcscd pcsc-tools build-essential autoconf xlibs-dev libccid”)
  Firefox was then configured to load libcoolkeypk11.so under Tools > Options > Advanced > Encryption > Security Devices.

• On a Windows machine if Firefox is intended to be used, additional configuration is needed. Under Tools > Options > Advanced > Encryption > Security Devices a new Device must be loaded. The DLL to be loaded for a GemPlus Smart Card is called gclib.dll and it is usually placed under Program FilesGemplusgemSafe Libraries UserBIN

• While launching a published application the user would start the session, login to the server, but the server would quickly report “Access is denied” before displaying the application. The same user would be able to login through RDP or using an Explicit login to Web Interface. This issue is currently under investigation but to get around the problem the registry DWORD IgnoreRegUserConfigErrors was created under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server.

Known Limitations

This configuration causes two PIN prompts from the user if connecting from a non-domain member or if the client machine is a domain member but using Windows Vista or later.

This first condition occurred because the user logged on to Windows and did not log on with the Smart Card. Therefore, the ICA client cannot grab and provide smart card information from Winlogon.

The second condition occurred because of a change in security done by Microsoft on Windows Vista and later. On Windows Vista/7 the behavior of Windows has changed. Upon a smart card logon the mpnotify.exe process is simply not invoked by Winlogon.exe anymore (it is still invoked for username/password logon). The only way we currently know to capture the smart card logon PIN on Vista/7 is to install a credential wrapper. However, this is not something recommended by Microsoft.

Additional Resources

CTX131223 - Enabling Smart Card PIN Pass-Through on Windows Vista or Windows 7 Citrix Session

If this workaround is not applied, a PIN prompt is displayed by the browser.

And a PIN prompt from the XenApp plug-in when launching an application.