Windows Client TechCenter >
Windows 7 Forums
>
Windows 7 Application Compatibility
>
DoD CAC not working in Windows 7
DoD CAC not working in Windows 7
- Didn't know quite where to put this:Windows 7 32bitSCRx31 Smart Card readerI go to DoD websites requiring mutual SSL, IE will look for certificates and find my CAC. It will ask me which certificate to use then nothing.Add ActivClient 6.1 to the mix because that was previously required in other versions of Windows to interact with the DoD CAC.Same issue. It appears in that case, that windows and activclient fight over which software is going to handle the smart card.Any ideas?
Answers
- You need to install the vcredist file first and then the ActivClient6_1_homeuse_v2 also it will show that the cert are not validate ignor this.
if you had the 64 bit you must reg. the Publishers yourself. you may be able to get the 64 bit version at work and it will show you how to install them.
Or wait till the AF release aversion for Windows 7.- Proposed As Answer byBillie On Pc Thursday, May 07, 2009 3:46 AM
- Marked As Answer byNick FVAnswererFriday, June 26, 2009 3:43 PM
All Replies
- Thats because there is no software for the DOD CAC for windows 7 yet. But I'm gonna try and get the 64 Bit Vista to work. I'll Let you Know.
- The Actual Install file needs to install other things first and therefor it's a HTML Program and it will not start in Compatibility mode.
It'll be trickey but I might get it to work. There are 5 parts to the Install and they must happen in the right order to work. - You need to install the vcredist file first and then the ActivClient6_1_homeuse_v2 also it will show that the cert are not validate ignor this.
if you had the 64 bit you must reg. the Publishers yourself. you may be able to get the 64 bit version at work and it will show you how to install them.
Or wait till the AF release aversion for Windows 7.- Proposed As Answer byBillie On Pc Thursday, May 07, 2009 3:46 AM
- Marked As Answer byNick FVAnswererFriday, June 26, 2009 3:43 PM
You need to install the vcredist file first and then the ActivClient6_1_homeuse_v2 also it will show that the cert are not validate ignor this.
I never had an issue getting ActivClient installed. It is installed and functioning. I can look at my certificates and everything is fine using the ActivClient software. It is when I go into IE to try and use my CAC. I open up IE, go to a site, it looks for my certificates, asks which one i want to use, then nothing. It never actually goes to access the CAC using ActivClient. I am never prompted for my password.
if you had the 64 bit you must reg. the Publishers yourself. you may be able to get the 64 bit version at work and it will show you how to install them.
Or wait till the AF release aversion for Windows 7.the vcredist is installed as ActivClient won't install without it.- Active Cleint will install only the VCredist and also the other installs.
I'm running Win 7 64 bit and it works fine,
Also the nipnet need to be called out.
you can not install it like normal.
I can goto the Portal and webmail without any problems. Active Cleint will install only the VCredist and also the other installs.
Can you provide a step by step on how you actually installed it with the version of vcredist you used?
I'm running Win 7 64 bit and it works fine,
Also the nipnet need to be called out.
you can not install it like normal.
I can goto the Portal and webmail without any problems.- I unpacked the Zip File
I ran NIPRDODCerts_v4_0 went to Troubleshoot Campat. went to Troubleshoot Program and said It work in earlier versions of windows and choose Vista Service pack 2
Then I ran VCredist
Then Active client with the Troubleshot compat like above.
Note you'll have to uninstall it before you reinstall it!
Ver. is ActivClient6_1_homeuse_v2 - What version of VCredist is it? 2005 or 2008?My command doesn't distribute the cac software the same as you are getting it. I don't have a program called NIPRDODCerts_v4_0. I assume that is very simply the DoD root certificates. I download the ActiveClient and that is all. It is ActiveClient 6.1. It comes packaged with a version of VCredist but it is the 2005 version. There is a 2008 version available from Microsoft.I am starting from a fresh install of Windows 7.
- You'll need to 2005 version for it to work what command are you?
- Still doesn't work for me. ActivClient installs fine. The communication between IE and ActivClient doesn't.I installed firefox and configured it to use ActivClient. Everything works perfectly. It is just too bad there are a number of websites that require IE to function properly.
- Odd, everything seemed to work for me, and I didn't need to install ActivClient.
I have Windows 7 RC (Build 7100) - installed on Macbook (Late 2007). Plugged in the card reader (SCR3310), it installed drivers, placed my CAC in the reader and it installed additional drivers (for some reason). Then I downloaded the root certificates, used "Troubleshoot Compatibility" and it ran it as XP SP2, checked and the certificates are good. Went to AFPortal, my webmail, etc and it came up prompting for my pin and I had access. Odd, everything seemed to work for me, and I didn't need to install ActivClient.
I have Windows 7 RC (Build 7100) - installed on Macbook (Late 2007). Plugged in the card reader (SCR3310), it installed drivers, placed my CAC in the reader and it installed additional drivers (for some reason). Then I downloaded the root certificates, used "Troubleshoot Compatibility" and it ran it as XP SP2, checked and the certificates are good. Went to AFPortal, my webmail, etc and it came up prompting for my pin and I had access.
Any updates to this with Win 7 RTM?Odd, everything seemed to work for me, and I didn't need to install ActivClient.
I have Windows 7 RC (Build 7100) - installed on Macbook (Late 2007). Plugged in the card reader (SCR3310), it installed drivers, placed my CAC in the reader and it installed additional drivers (for some reason). Then I downloaded the root certificates, used "Troubleshoot Compatibility" and it ran it as XP SP2, checked and the certificates are good. Went to AFPortal, my webmail, etc and it came up prompting for my pin and I had access.
Any updates to this with Win 7 RTM?
I can confirm what others have already said... On Win 7 RTM, you do not need to install ActivClient at all. I was able to get to my Outlook Web Access (OWA) portal just as before. It prompted me for which certificate to use, and then prompted me again for my PIN.
BTW: I originally thought that ActivClient was required and attempted to install it... but it failed with "the wizard was interrupted". Now, I'm glad it didn't install!- Not so for us. Without ActivClient installed, we cant login to the domain using the smartcard. We can however, go to websites that are cac enabled using some CaC's. It appears that newer cards work, but older than a yr old dont. If we install ActivClient, we can login with the CaC and go to websites with all cards.
I'm guessing that ActivClient installs the registry entries to allow all of the cards to be recognized. So for us, we have to use the middleware.
Thanks Odd, everything seemed to work for me, and I didn't need to install ActivClient.
I have Windows 7 RC (Build 7100) - installed on Macbook (Late 2007). Plugged in the card reader (SCR3310), it installed drivers, placed my CAC in the reader and it installed additional drivers (for some reason). Then I downloaded the root certificates, used "Troubleshoot Compatibility" and it ran it as XP SP2, checked and the certificates are good. Went to AFPortal, my webmail, etc and it came up prompting for my pin and I had access.
I'm running the same build you are on an HP, same reader, have all the drivers, all certificates installed correctly, but can't access AFPortal. Every time I try it says I need to have certificates loaded to the desktop before proceeding. Any help would be appreciated. I can access some other sites requiring a CAC, with both IE8 and FF 3.5, just not AFPortal.- Windows 7 RTM works great with DoD CAC using IE8 with no additional software installed (i.e. ActivIdentity, ActivCard Gold). This statement is true only after you change some settings in IE as the default settings don't allow for Client Authentication.
Please ensure none of the following smart card software clients (i.e. ActivIdentity, ActivCard, ActivCard Gold) are installed before continuing.
Open IE8 and perform the following:
1. Select Tools > Internet Options
2. Now select the "Content" tab and then click the "Certificates" button
3. Under the "Personal" tab you should see your current certificates from your CAC if your smart card reader and smart card were successfully installed. While on the "Personal" tab click the "Advanced" button at the lower right corner.
4. From within the Advanced Options configuration window select the checkbox for "Client Authentication" (also "Secure Email" if needed) and then click OK.
Your default install of IE8 that came with Windows 7 RTM should now not only prompt you for the certificate to use for authentication, but also now prompt you for the PIN.
Note: If you run into further issues please verify that TLS 1.0 and SSL 3.0 are enabled: Internet Options > Advanced tab > Security section and then select the checkboxes for those listed prior.- Proposed As Answer bycmoote Monday, August 31, 2009 8:28 AM
- I can use my cac reader to log on to web sites but I cannot digitally sign documents with IBM Lotus Viewer. I get the following error:
NO IDENTITY FOUND
"The specified CSP doesn't contain any unexpired digital signature certificates matching your certificate filter (see Advanced Preferences)."
I have tried it with the activclient software installed and with it removed. In either case windows seems to manage the certificates for logging on just fine. But the IBM Lotus Viewer trys to manage the certificates and can't find them.
Any ideas? TIA,
Scott- Edited byav8rdude Monday, September 28, 2009 1:28 PMedit
- I was able to get past the problem above with IBM Lotus Viewer. I did this by installing the DoD configuration Add-on to Firefox on Windows 7, then adding a security device to firefox for the acpcks201.dll file in c:\windows\system32. This now allows me to sign files in Lotus Viewer, but once I do so, it immediately says the signature is invalid b/c the issuer of the signer's digital signature could not be verified.
I was able to get past the problem above with IBM Lotus Viewer. I did this by installing the DoD configuration Add-on to Firefox on Windows 7, then adding a security device to firefox for the acpcks201.dll file in c:\windows\system32. This now allows me to sign files in Lotus Viewer, but once I do so, it immediately says the signature is invalid b/c the issuer of the signer's digital signature could not be verified.
This is the same error I had with Vista for a while. I can live with that because you can still sign documents....
Any suggestions on how I can implement this fix in IE. I have no interest in other browsers.
TIA,
Scott- Ok I have found a temporary solution to the problem with IBM Lotus Viewer...
I installed the windows 7 XP compatibility mode application. Now I can sign documents inside the xp environment and save them.
Cheers,
Scott - Has anyone had the problem of your Smart Card Reader driver working fine, but a Smart Card driver showing up as missing or not installed? I believe it is something new in Win 7.
I updated all of my drivers but for some reason windows wants a seperate driver for the smart card.
If anyone has a solution for this, it would be greatly appreciated.
Thanks I am running Windows 7 home premium so I don't have the ability to run programs in true XP mode. I tried the compatibility setting on Lotus Forms but had no success. I can do everything else with my CAC fine in Windows 7, but I cannot sign Lotus forms. I tried reinstalling Windows 7, reinstalling lotus, tinkering with the card reader, etc. to no avail. PLEASE post a fix if you know one.
- I know CACs work with windows 7 for email, web auth... however, I don't know if you guy have noticed it is using the PIV endpoint interface not the GSC-IS enter face so doing smart card logon to the computer/domain doesn't work if you are set up to us the DoD email cert to logon with. it will fault due to the use of the PIV certificate. this is the issue I'm trying to resolve without putting a third party middleware such as activclient 6.2 which work with no problems on windows 7. if someone out there knows how to get the OS to recognize the GSC-IS interface of the CAC please let me know. I have read the mini driver version 7 specs however, and it says to set the cyrpto lib to use but I can't find where to put that at which .ini file. thanks Gary
