In this example below, we had a common iMac that everyone uses and at OS X Sierra you can now use CAC to login! In my case, I put my CAC in and it automagically associated my CAC with that common user account ... not MY account!
Here's how to removed the CAC from the other user account and get it on yours. You'll need these things to continue:
- Your CAC reader and CAC
- Terminal
All of this magic happens because of the Apple term command sc_auth. We'll be using it exclusively to fix our stuff.
- Open a terminal (I always just do ⌘+spacebar)
- Type sudo -s
- Type cd /etc
- Type rm authorization.cac (If this does not exist, then yay! We're good to go)
- Making sure your CAC is inserted and is available to Mac OS (Be sure to open Keychain Access and your CAC certs should be at the top of the list, if they are not, you're CAC reader is not installed or the OS can't see your certs) Type:
- sc_auth hash (You should see your 3 DoD certs pop up with a hash string in front of your name. This is good because the OS now knows what your certs are)
- Now, this is cool, but you probably don't know which one is your PIV account for signing into your Mac, so type: sc_auth identities and you should see the hash along with "Certificate for PIV Authentication (lastname.first.middle.cacid)", this is the one we want!
- Now, to remove the previous CAC connection to any other account type:
- sc_auth unpair -u username (obviously replacing username with some name)
- Now, copy the hash for your PIV certificate and we'll now pair with your user account. The command to type/run is:
- sc_auth pair -u username -h 39DDR9FXI9XFKK9X9FKEKO3 (Obviously, put your PIV hash there)
- You should now be prompted (if you're logged into the Mac OS X account you want to use your CAC on) for your PIN and you're set!
- You're done! Now go to the login screen and you should be prompted for a CAC PIN on your account.
TL;DR:
sc_auth unpair -u old username
sc_auth identities
(copy PIV hash)
sc_auth pair -u goodusername -h (HASH GOES HERE)
Prompted for PIN
