none
DoD CAC not working in Windows 7

    Question

  • Didn't know quite where to put this:

    Windows 7 32bit 
    SCRx31 Smart Card reader

    I go to DoD websites requiring mutual SSL, IE will look for certificates and find my CAC.  It will ask me which certificate to use then nothing.

    Add ActivClient 6.1 to the mix because that was previously required in other versions of Windows to interact with the DoD CAC.

    Same issue.  It appears in that case, that windows and activclient fight over which software is going to handle the smart card.

    Any  ideas?
    Wednesday, May 06, 2009 5:48 PM

Answers

  • You need to install the vcredist file first and then the ActivClient6_1_homeuse_v2 also it will show that the cert are not validate ignor this.
    if you had the 64 bit you must reg. the Publishers yourself. you may be able to get the 64 bit version at work and it will show you how to install them.


    Or wait till the AF release aversion for Windows 7.
    • Proposed as answer by Billie On Pc Thursday, May 07, 2009 3:46 AM
    • Marked as answer by Nick FV Friday, June 26, 2009 3:43 PM
    Thursday, May 07, 2009 3:46 AM

All replies

  • Thats because there is no software for the DOD CAC for windows 7 yet. But I'm gonna try and get the 64 Bit Vista to work. I'll Let you Know.
    Thursday, May 07, 2009 1:06 AM
  • The Actual Install file needs to install other things first and therefor it's a HTML Program and it will not start in Compatibility mode.
    It'll be trickey but I might get it to work. There are 5 parts to the Install and they must happen in the right order to work.
    Thursday, May 07, 2009 2:21 AM
  • You need to install the vcredist file first and then the ActivClient6_1_homeuse_v2 also it will show that the cert are not validate ignor this.
    if you had the 64 bit you must reg. the Publishers yourself. you may be able to get the 64 bit version at work and it will show you how to install them.


    Or wait till the AF release aversion for Windows 7.
    • Proposed as answer by Billie On Pc Thursday, May 07, 2009 3:46 AM
    • Marked as answer by Nick FV Friday, June 26, 2009 3:43 PM
    Thursday, May 07, 2009 3:46 AM
  • You need to install the vcredist file first and then the ActivClient6_1_homeuse_v2 also it will show that the cert are not validate ignor this.
    if you had the 64 bit you must reg. the Publishers yourself. you may be able to get the 64 bit version at work and it will show you how to install them.


    Or wait till the AF release aversion for Windows 7.
    I never had an issue getting ActivClient installed.  It is installed and functioning.  I can look at my certificates and everything is fine using the ActivClient software.  It is when I go into IE to try and use my CAC.  I open up IE, go to a site, it looks for my certificates, asks which one i want to use, then nothing.  It never actually goes to access the CAC using ActivClient.  I am never prompted for my password.

    the vcredist is installed as ActivClient won't install without it.
    Thursday, May 07, 2009 12:15 PM
  • Active Cleint will install only the VCredist and also the other installs.


    I'm running Win 7 64 bit and it works fine,

    Also the nipnet need to be called out.

    you can not install it like normal.
     I can goto the Portal and webmail without any problems.
    Thursday, May 07, 2009 1:36 PM
  • Active Cleint will install only the VCredist and also the other installs.


    I'm running Win 7 64 bit and it works fine,

    Also the nipnet need to be called out.

    you can not install it like normal.
     I can goto the Portal and webmail without any problems.
    Can you provide a step by step on how you actually installed it with the version of vcredist you used?
    Thursday, May 07, 2009 2:00 PM
  • I unpacked the Zip File

    I ran NIPRDODCerts_v4_0  went to Troubleshoot Campat. went to Troubleshoot Program and said It work in earlier versions of windows and choose Vista Service pack 2

    Then I ran VCredist

    Then Active client with the Troubleshot compat like above.

    Note you'll have to uninstall it before you reinstall it!

    Ver. is ActivClient6_1_homeuse_v2
    Thursday, May 07, 2009 2:47 PM
  • What version of VCredist is it?  2005 or 2008?

    My command doesn't distribute the cac software the same as you are getting it.  I don't have a program called NIPRDODCerts_v4_0. I assume that is very simply the DoD root certificates.  I download the ActiveClient and that is all.  It is ActiveClient 6.1.  It comes packaged with a version of VCredist but it is the 2005 version.  There is a 2008 version available from Microsoft.

    I am starting from a fresh install of Windows 7.
    • Edited by jleonar Thursday, May 07, 2009 2:54 PM
    Thursday, May 07, 2009 2:53 PM
  • You'll need to 2005 version for it to work what command are you?
     
    Thursday, May 07, 2009 3:37 PM
  • Still doesn't work for me.  ActivClient installs fine.  The communication between IE and ActivClient doesn't.

    I installed firefox and configured it to use ActivClient.  Everything works perfectly.  It is just too bad there are a number of websites that require IE to function properly.
    Thursday, May 07, 2009 5:34 PM
  • Odd, everything seemed to work for me, and I didn't need to install ActivClient.

    I have Windows 7 RC (Build 7100) - installed on Macbook (Late 2007). Plugged in the card reader (SCR3310), it installed drivers, placed my CAC in the reader and it installed additional drivers (for some reason). Then I downloaded the root certificates, used "Troubleshoot Compatibility" and it ran it as XP SP2, checked and the certificates are good. Went to AFPortal, my webmail, etc and it came up prompting for my pin and I had access.
    Friday, May 15, 2009 4:53 PM
  • Odd, everything seemed to work for me, and I didn't need to install ActivClient.

    I have Windows 7 RC (Build 7100) - installed on Macbook (Late 2007). Plugged in the card reader (SCR3310), it installed drivers, placed my CAC in the reader and it installed additional drivers (for some reason). Then I downloaded the root certificates, used "Troubleshoot Compatibility" and it ran it as XP SP2, checked and the certificates are good. Went to AFPortal, my webmail, etc and it came up prompting for my pin and I had access.

    Any updates to this with Win 7 RTM? 
    Monday, August 10, 2009 2:37 PM
  • Odd, everything seemed to work for me, and I didn't need to install ActivClient.

    I have Windows 7 RC (Build 7100) - installed on Macbook (Late 2007). Plugged in the card reader (SCR3310), it installed drivers, placed my CAC in the reader and it installed additional drivers (for some reason). Then I downloaded the root certificates, used "Troubleshoot Compatibility" and it ran it as XP SP2, checked and the certificates are good. Went to AFPortal, my webmail, etc and it came up prompting for my pin and I had access.

    Any updates to this with Win 7 RTM? 

    I can confirm what others have already said...   On Win 7 RTM, you do not need to install ActivClient at all.   I was able to get to my Outlook Web Access (OWA) portal just as before.  It prompted me for which certificate to use, and then prompted me again for my PIN.

    BTW: I originally thought that ActivClient was required and attempted to install it... but it failed with "the wizard was interrupted".   Now, I'm glad it didn't install!
    Tuesday, August 11, 2009 7:53 PM
  • Not so for us.   Without ActivClient installed, we cant login to the domain using the smartcard.  We can however, go to websites that are cac enabled using some CaC's.  It appears that newer cards work, but older than a yr old dont.  If we install ActivClient, we can login with the CaC and go to websites with all cards.

    I'm guessing that ActivClient installs the registry entries to allow all of the cards to be recognized.  So for us, we have to use the middleware.

    Thanks
    Wednesday, August 12, 2009 11:41 AM
  • Odd, everything seemed to work for me, and I didn't need to install ActivClient.

    I have Windows 7 RC (Build 7100) - installed on Macbook (Late 2007). Plugged in the card reader (SCR3310), it installed drivers, placed my CAC in the reader and it installed additional drivers (for some reason). Then I downloaded the root certificates, used "Troubleshoot Compatibility" and it ran it as XP SP2, checked and the certificates are good. Went to AFPortal, my webmail, etc and it came up prompting for my pin and I had access.

    I'm running the same build you are on an HP, same reader, have all the drivers, all certificates installed correctly, but can't access AFPortal.  Every time I try it says I need to have certificates loaded to the desktop before proceeding.  Any help would be appreciated.  I can access some other sites requiring a CAC, with both IE8 and FF 3.5, just not AFPortal.
    Sunday, August 16, 2009 5:40 AM
  • Windows 7 RTM works great with DoD CAC using IE8 with no additional software installed (i.e. ActivIdentity, ActivCard Gold).  This statement is true only after you change some settings in IE as the default settings don't allow for Client Authentication.  

    Please ensure none of the following smart card software clients (i.e. ActivIdentity, ActivCard, ActivCard Gold) are installed before continuing.

    Open IE8 and perform the following:

    1.  Select Tools > Internet Options
    2.  Now select the "Content" tab and then click the "Certificates" button
    3.  Under the "Personal" tab you should see your current certificates from your CAC if your smart card reader and smart card were successfully installed.  While on the "Personal" tab click the "Advanced" button at the lower right corner.
    4.  From within the Advanced Options configuration window select the checkbox for "Client Authentication" (also "Secure Email" if needed) and then click OK.

    Your default install of IE8 that came with Windows 7 RTM should now not only prompt you for the certificate to use for authentication, but also now prompt you for the PIN.

    Note: If you run into further issues please verify that TLS 1.0 and SSL 3.0 are enabled:  Internet Options > Advanced tab > Security section and then select the checkboxes for those listed prior.
    • Proposed as answer by cmoote Monday, August 31, 2009 8:28 AM
    Monday, August 31, 2009 8:25 AM
  • I can use my cac reader to log on to web sites but I cannot digitally sign documents with IBM Lotus Viewer.  I get the following error:
    NO IDENTITY FOUND
    "The specified CSP doesn't contain any unexpired digital signature certificates matching your certificate filter (see Advanced Preferences)."

    I have tried it with the activclient software installed and with it removed.  In either case windows seems to manage the certificates for logging on just fine.  But the IBM Lotus Viewer trys to manage the certificates and can't find them.

    Any ideas?  TIA,
    Scott
    • Edited by av8rdude Monday, September 28, 2009 1:28 PM edit
    • Proposed as answer by Cyber Jack Wednesday, November 17, 2010 6:40 AM
    Monday, September 28, 2009 1:26 PM
  • I was able to get past the problem above with IBM Lotus Viewer.  I did this by installing the DoD configuration Add-on to Firefox on Windows 7, then adding a security device to firefox for the acpcks201.dll file in c:\windows\system32.  This now allows me to sign files in Lotus Viewer, but once I do so, it immediately says the signature is invalid b/c the issuer of the signer's digital signature could not be verified.
    Wednesday, September 30, 2009 3:50 AM
  • I was able to get past the problem above with IBM Lotus Viewer.  I did this by installing the DoD configuration Add-on to Firefox on Windows 7, then adding a security device to firefox for the acpcks201.dll file in c:\windows\system32.  This now allows me to sign files in Lotus Viewer, but once I do so, it immediately says the signature is invalid b/c the issuer of the signer's digital signature could not be verified.

    This is the same error I had with Vista for a while.  I can live with that because you can still sign documents....

    Any suggestions on how I can implement this fix in IE.  I have no interest in other browsers.

    TIA,
    Scott
    Saturday, October 03, 2009 12:13 AM
  • Ok I have found a temporary solution to the problem with IBM Lotus Viewer...

    I installed the windows 7 XP compatibility mode application.  Now I can sign documents inside the xp environment and save them.

    Cheers,
    Scott
    Monday, October 05, 2009 6:49 PM
  • Has anyone had the problem of your Smart Card Reader driver working fine, but a Smart Card driver showing up as missing or not installed?  I believe it is something new in Win 7.

    I updated all of my drivers but for some reason windows wants a seperate driver for the smart card. 

    If anyone has a solution for this, it would be greatly appreciated.

    Thanks
    Wednesday, November 04, 2009 3:17 PM
  • I am running Windows 7 home premium so I don't have the ability to run programs in true XP mode.  I tried the compatibility setting on Lotus Forms but had no success.  I can do everything else with my CAC fine in Windows 7, but I cannot sign Lotus forms.  I tried reinstalling Windows 7, reinstalling lotus, tinkering with the card reader, etc. to no avail.  PLEASE post a fix if you know one. 

    Wednesday, November 04, 2009 5:59 PM
  • I know CACs work with windows 7 for email, web auth... however, I don't know if you guy have noticed it is using the PIV endpoint interface not the GSC-IS enter face so doing smart card logon to the computer/domain doesn't work if you are set up to us the DoD email cert to logon with. it will fault due to the use of the PIV certificate. this is the issue I'm trying to resolve without putting a third party middleware such as activclient 6.2 which work with no problems on windows 7. if someone out there knows how to get the OS to recognize the GSC-IS interface of the CAC please let me know. I have read the mini driver version 7 specs however, and it says to set the cyrpto lib to use but I can't find where to put that at which .ini file. thanks Gary
    Saturday, November 07, 2009 10:34 PM
  • this worked for me, thanks.  can now access owa.

    Sunday, December 13, 2009 6:49 PM
  • Has anyone had the problem of your Smart Card Reader driver working fine, but a Smart Card driver showing up as missing or not installed?  I believe it is something new in Win 7.

    I updated all of my drivers but for some reason windows wants a seperate driver for the smart card. 

    If anyone has a solution for this, it would be greatly appreciated.

    Thanks

    I picked up at the only USB CAC reader I could find that claims compatibility with Windows 7.   Its called Stanley Global 111.  I plugged it into my Win7 64bit machine, installed ActivClient 6.1 off of AKO, installed the certs, and was up and going in a few minutes.  Never had to mess with any drivers.

    cheers,
    Randy
    Thursday, December 24, 2009 3:01 AM
  • For those of you have the 32 bit version of Windows 7 and want to use your Common Access Card (CAC) on it, please visit:  https://militarycac.com/activclient-compatibility-mode.htm  for installation instructions using the current ActivClient 6.1 software.  Previously, only way to use it was to purchase the 6.2 version.


    CW3 Michael J. Danberry 612-328-8768 http://militarycac.com
    Sunday, December 27, 2009 4:26 AM
  • for get the cac card and IE.. just find and install (InstallRoot_3.12wJRE-6u11). that file contains all the certificats for dod so you can get in with out having the pesky sertification box always popping up..
    Thursday, February 11, 2010 10:22 PM
  • I am operating windows 7 64 bit and already installed the af middleware for windows 7 from the portal.  Everything looks normal as far as what's installed (ActivClient 6.2) and I already physically loaded the certificates.  However, that's not the problem.  My cac is not PIV so im not sure if that makes a difference;  Every time I go to load my cac, activclient agent just keeps trying to read my cac, over and over and over and it never is able to.(Please wait while the card is being accessed...)  My cac works in office perfect, never had any issues.  Is there another agent that I could use, or should I just try and reinstall again.  I already tried to "repair" the installation.  Also, the agent does show my cac reader as installed properly (SCR3340) Any ideas?
    Sunday, March 28, 2010 4:27 PM
  • I am getting the same thing today.  going to do a system restore to go a week back and see what happens.
    Friday, July 09, 2010 8:31 PM
  • Hello chiefq,  Did going back one week take care of your problem? 

    Please visit:  https://militarycac.com/ for troubleshooting tips.


    CW3 Michael J. Danberry 703-679-8989 (Google voice) / 612-328-8768 (Sprint) https://militarycac.com
    Friday, July 16, 2010 1:54 AM
  • I did all the above steps.  I am using Windows 7 pro with an activeidentity 6.2 version and trying to get to my OWA mail I just keep getting

    Internet Explorer cannot display the webpage  

    I get the same messages for my HTTPS websites now as well.  Restoring to another point did not work.  I have put all the websites in my trusted wesite section on internet tools and I use BitDefender and all the websites are on the whitelist so I don't know what else to do to get this program to work.  I have run all the diagnostics for the CAC reader and they are all fine.

    Thursday, November 04, 2010 1:32 PM
  • Have you tried installing a program named ApproveIt Desktop 6.1?

      -If not install this program along with IBM Lotus Viewer 3.5 and ActivClient 6.2.

      -Make your certificates available by double clicking on the ActivClient Agent on the lower right corner of the screen.

      -Right Click on My Certificates and select make Certificates available to Windows.

      - Now try digitally signing the form.

    Hopefully this helps,

    Jack

    • Proposed as answer by Cyber Jack Wednesday, November 17, 2010 7:14 AM
    Wednesday, November 17, 2010 7:09 AM
  • Windows 7 RTM works great with DoD CAC using IE8 with no additional software installed (i.e. ActivIdentity, ActivCard Gold).  This statement is true only after you change some settings in IE as the default settings don't allow for Client Authentication.  

    Please ensure none of the following smart card software clients (i.e. ActivIdentity, ActivCard, ActivCard Gold) are installed before continuing.

    Open IE8 and perform the following:

    1.  Select Tools > Internet Options
    2.  Now select the "Content" tab and then click the "Certificates" button
    3.  Under the "Personal" tab you should see your current certificates from your CAC if your smart card reader and smart card were successfully installed.  While on the "Personal" tab click the "Advanced" button at the lower right corner.
    4.  From within the Advanced Options configuration window select the checkbox for "Client Authentication" (also "Secure Email" if needed) and then click OK.

    Your default install of IE8 that came with Windows 7 RTM should now not only prompt you for the certificate to use for authentication, but also now prompt you for the PIN.

    Note: If you run into further issues please verify that TLS 1.0 and SSL 3.0 are enabled:  Internet Options > Advanced tab > Security section and then select the checkboxes for those listed prior.

    This worked for me--thanks.  I'm running Win 7 with IE8 on a Dell laptop.
    Friday, February 25, 2011 1:37 AM
  • I go to DoD websites requiring mutual SSL, IE will look for certificates and find my CAC.  It will ask me which certificate to use then nothing.

    Hi,

    did you get this working?

    I have the same issue and I don't know how to solve this?

    Could you please let me know


    • Edited by PDLivings Wednesday, December 11, 2013 7:08 PM inserted the issue
    Wednesday, December 11, 2013 7:07 PM