Cac Card Reader Certificates For Mac
NOTE: This page lists all known problems and Solutions (that I and others have come across). I hope one of these will answer whatever problem you are having. Please don't email me telling me my Solutions don't work. Everyone of these have worked on several other computers. If your particular problem is not on this page, please feel free to contact me and we will figure it out together.
Disclaimer: These fixes are for Home Users Only. Do not attempt these on your Government Computer (unless otherwise noted)
THE TOP 15 CURRENT PROBLEMS [with SOLUTIONS] BEING EXPERIENCED
1:Most DoD website access problems [for Windows computers using Internet Explorer] can be fixed by following these adjustments to your web browser.
.
- Windows 10 Smart Card Reader and Military Common Access Card (CAC) Certificate Issues I'm military and so the use of my smart card reader is a necessity. Likely, those reading this who have a solution probably understand or have a similar issue.
- I have a Mac and use my cac card reader when need be. Militarycac as someone mentioned earlier can tell you what you need to do to make it work. Also chrome is one of the only browsers that works for me.
2: To use your CAC with your Mac, use the MAC Notes page. Please verify in step 5 which CAC enablers will with work with your version of OS X. See how to make DTS work by following guidance on the DTS support page.
Use Smart Cards on Chrome OS This article focuses on the steps required to successfully start using your Smart Card on Chrome OS on your personal device. If you are an admin and wish to deploy smart cards across your organization, then please refer to Deploy Smart Cards on Chrome OS.
3:All Army Knowledge Online (AKO) users who have a CAC should now be migrated to DISA's Enterprise Email (DEE) and will no longer be able to access their AKO email with username and password. DEE is only accessible via CAC, so, please look at this page for information you will need to access your email.
4: If you have a 'GEMALTO TOP DL GX4144' or 'GEMALTO DLGX4-A 144' CAC, are using Windows 7 or 8, you 'should' be able to use your CAC without installing ActivClient. If you have an 'Oberthur ID One 128 v5.5 Dual' or 'G&D FIPS 201 SCE 3.2' CAC, are using Windows 7 or 8, you 'might' be able to use your CAC without installing ActivClient.
5: If you have the 'Oberthur ID One 128 v5.5 Dual' CAC and it does not work with your Windows [7 or below] computer you need to install ActivClient 6.2.0.50, AND then update it.
6. Mac users who have purchased the IO Gear GSR-202, GSR-202V, or GSR-203 CAC readers may have problems. We've worked with Thursby Software and IOGear to find an update [which is actually a downgrade] for the firmware on the reader. Please follow guidance here to update / downgrade your CAC reader.
7. Windows 7 (64 bit) users who have the IO Gear GSR-202 CAC reader [and are having problems with the reader not staying in device manager after the computer is restarted] should Install the driver from IOGear then restart the computer to fix the problem. This has worked for some people, others are still having the problem. To update the driver manually, follow this guidance. The only other solution for it not working is to return it and purchase a different reader.
8. Windows 8 and 8.1 information is on the dedicated support page.
9. Created retiring page dedicated to providing information for people getting ready to retire (or separate) from the Army.
10. Internet Explorer 11 on Windows 7, 8, and 8.1 needs some assistance to work. Look here for the needed fix.
11. Receiving 'Error 500' when visiting your webmail. Follow these possible solutions
12. If you are having problems accessing CAC enabled websites,
.
Problem: You received a new CAC and are having problems using it on your computer
Information: ID card offices are issuing PIV II CAC's. You can verify if yours is one of these by looking for either of these on the back above the magnetic strip in yellowish / brownish letters 'Gemalto TOP DL GX4 144' or 'Oberthur ID One 128 v5.5 Dual'
Solution: Fixes for this problem. ActivClient 6.1 user need to update your software, and ActivClient 6.2 need to update your software.
Problem 1: Receive 'Parameter is incorrect' message (when logging onto computer). This IS a fix for a Government Computer.
Solution 1-1: Have another person logon to the computer with their CAC and update the DoD Certificates, instructions
Solution 1-2: Have another person logon to the computer with their CAC. Once logged in, Double click the ActivClient Client Agent button (down by the clock in the lower right corner of your screen). Click on Tools, Advanced, select Forget State for all cards. Log off, and have affected user sign back on.
Solution 1-3: Go to: https://www.dmdc.osd.mil/self_service , select Replace Certificate to avoid going to a RAPIDS Site. Visual steps NOTE: You will need internet access and 2 CAC readers on this particular computer for this to work.
Solution 1-4: If the above Solutions don't work, you will need to visit a RAPIDS site and have them update the certificates on your CAC. (You may walk out with a new ID card).
Problem 2: Receive 'The system could not log you on. Your credentials could not be verified' message (when logging onto a computer). This error message only affects Government Computers.
Solution 2-1: Have another person logon to the computer with their CAC and update the DoD Certificates, instructions
Solution 2-2: This error is mostly seen when a Soldier tries to logon to a computer that is part of a domain that his / her account has been deleted (or never had an account). Contact your local Help Desk to verify whether your user account is still in the system.
Solution 2-3: Verify that you have the network cable plugged into the computer and try it again.
Solution 2-4: The computer may have been removed from the network. You may need to check with your IT department to verify this. This happens when a computer is unplugged from the network for a certain period of time (60 days for my organization)
Solution 2-5: Unplug the network cable, now logon (you will be logging on with cached credentials) then plug the cable back in. NOTE: This will only work if you were the last person to logon to this computer.
Solution 2-6: If you are a dual CAC holder, and trying to access your computer when away from the office. You will have to use the same CAC you used to logon to the computer the last you time you logged into it on the network. This is due to the way your credentials are cached on the computer.
Solution 2-7: Open ActivClient, double click My Certificates, then double click on any of the certificates. Click the Advanced tab and scroll down to and select 'Subject Alternative Name.' You will see in the bottom window Principal Name=##########@mil.This is your UPN (User Principle Name). This must match what is in Active Directory for the account's LOGIN NAME. An administrator can verify they are the same.
Solution 2-8: If you have a 3rd party DAR (Data at Rest) called Credent installed, it seems to encrypt something in the user's profile that will not allow them to logon cached. If you have your administrator's help, you can decrypt all of your user data, then be able to logon to the computer again. The exact file causing this is not yet known.
Solution 2-9: Verify if your Smart Card service is started look here for instructions.
Solution 2-10: You may be trying to login to your computer with your FASC-N (16 digit) certificate rather than your EDI-PI (10 digit) certificate, select the certificate that is only 10 digits long instead of 16 digits.
Problem 3: When installing ActivClient, receive 'This application has failed to start because MOZCRT19.dll was not found. Re-installing the application may fix this problem.'
Solution 3-1: Once ActivClient installs, search your computer for 'MOZCRT19.dll' (another user found it in the Internet Explorer folder). Copy it into C:Program FilesActivIdentityActivClient. Now go to Add / Remove programs in Control Panel (XP), or Programs and Features in Vista, or Uninstall a Program in Windows 7 or 8. Highlight the ActivClient and select Change. Select Repair and the install should work.
Solution 3-2: Uninstall Firefox, restart computer, reinstall ActivClient again, then reinstall Firefox again.
Problem 4: While attempting the above fix you receive 'The Call to DllRegisterServer Failed with Error Code 0×80004005' on Windows Vista
Solution 4: You need to run 3 [above] as an administrator or turn off User Access Control in the Users option in Control Panel
Problem 5: Receive 'Unable to install Microsoft visual C++ 2005 Redistributable Package. Contact your IT support' error when installing ActivClient 6.1
Solution 5-1: Re-Extract the file and run again
.
Solution 5-2: You may have to re-download, then re-extract that file (as the download did not download correctly)
.
Solution 5-3: Create a new profile on your computer and install ActivClient from the new profile.
Problem 6: When attempting to extract ActivClient 6.1, the icon is not a folder with a zipper on it, or a different program opens up. Somehow your file association was changed on your computer.
Solution 6: This can be fixed by reassociating .zip files to the Windows Compressed Folder.
Vista / 7 / 8 fix: Press the following keys on your keyboard <Windows> < R>, this will open up your Run line. Type in CMD, once in the DOS screen: type in assoc .zip=CompressedFolder (there is a space in between assoc & .zip) [You may need to run the CMD prompt as an administrator]
Vista / 7 / 8 fix (alternate):Right click the file, Select Properties, Click the Change button. When the Open With box opens up, select Browse and navigate to C:Windows and click on explorer. It should be immediately below the folders. Select Open, OK, OK, OK.
XP fix: Double click My Computer, Select Tools, Folder Options, File Types, Scroll down to (and select) ZIP, Click the Change button, Select Compressed (zipped) Folders under Recommended Programs, select OK.
Now try right clicking your zip folder again and select Extract All.
Problem 7: You are not receiving the standard 'Insert Card, or press Ctrl Alt Del' message when using Windows Vista or Windows 7 on a Government Computer.
Solution 7: Press <Ctrl> <Alt> <Del>, it will then ask you for your Smart Card. If it comes up to a username and password screen, select 'Switch user' button and you should see the option for Smart card.
Problem 8: When trying to install ActivClient, it states 'Error 1500, another installation in progress, you must complete installation before continuing this one.'
Solution 8:Look here for a remedy
Problem 9: When attempting to install ActivClient 6.1 on a 32-bit Windows 7 computer using the Compatibility mode, you receive an error message regarding not being possible.
Solution 9-1: Visit Microsoft to verify whether your computer's BIOS is capable of doing this.
Solution 9-2: Another place to look is at the Microsoft Answers page.
Problem 10: Receive the following error 'Cannot find the file specified' when attempting to install ActivClient 6.1.
Solution 10: This can be remedied extracting ALL files before trying to install the program
Problem 11: When installing ActivClient, it stalls during installation and receive a message stating: 'Your administrator will not allow this to happen.'
Solution 11-1: Make sure you are running the installation as an administrator
Solution 11-2: Disable your Antivirus software, as it may be blocking the installation. McAfee is famous for making installs difficult.
Problem 12: Receive 'winlogon.exe - Application error The exception unknown software (0x06d0007e) occurred in the application at location 0x7cc812afb' after upgrading to ActivClient 6.2
Solution 12-1: Follow guidance at MajorGeeks.com
Solution 12-2: Uninstall ActivClient 6.2, restart computer, install ActivClient 6.1 with updates.
Problem 13: You have ActivClient installed on your computer, but do not use your CAC reader that often AND you are tired of the annoying message that pops up telling you you do not have a CAC reader plugged in.
Solution 13: Follow the guidance in this guide to disable the message.
Problem 14: After installing ActivClient, you are still unable to access DoD CAC enabled websites.
Solution 14-1: Internet Explorer users: Follow this guide
Solution 14-2: Firefox users: Follow instructions here
Problem 15: Received 'Error 2738. Could not access VBScript run time for custom action' while installing ActivClient.
Solution 15: Look here for a solution
Problem 16: When opening ActivClient with the Oberthur ID One 128 v5.5 Dual CAC and you do not see anything in the large white section, you probably only have ActivClient 6.2.0.50 installed
Solution 16:Update your ActivClient
Problem 17: You want a way to remove CAC certificates automatically from Internet Explorer when removing your CAC.
Solution 17: Open ActivClient (Only works in AC 6.2.0.x), Click Tools, Advanced, Configuration ..., Certificate Availability, Change the No to a Yes at the Remove certificates from Windows on smart card removal option (A restart of your computer will be required).
All Army Knowledge Online problems and Solutions are on a separate page.
APPROVE IT / eSign
The ideas on this website are from my personal experience. I have been told by Army Publishing Directorate (APD) to send Users to their help desk so they become aware of the problems with this program. 703-692-1306 / DSN: 312-222-1306, Webform, or usarmy.pentagon.hqda-apd.mbx.fcmp@mail.mil
If you are having problems accessing the CHESS website, contact theCHESS help desk at: peoeis.pdchess.helpdesk@us.army.mil or 888-232-4405 / 703-806-1019 / DSN: 312-656-1019 (Monday - Friday 0800-1700 EST).
Problem 1: Approve It keeps reinstalling every time you log onto the computer.
Solution 1-1: Remove the Approve It from the startup menu (This version puts itself in this folder for some unknown reason).
Solution 1-2: Install ApproveIt from the setup.exe (82KB) file from inside the Source folder
Solution 1-3: Uninstall ApproveIt 5.8.2, restart computer, Install ApproveIt 5.7.3. Follow instructions below. PLEASE NOTE: ApproveIt 6.1 & 6.5 are the only versions that will work with Lotus Forms.
Problem 2: 'Component is missing or corrupt' message after installing ApproveIt and attempting to digitally sign a form
Solution 2: Restart computer after installing Approve It (multiple restarts might be required).
Problem 3: Receive 'No host application was found on this computer. Please install the host application before installing ApproveIt Desktop' when installing ApproveIt 6.5
Information: According to the ApproveIt Desktop 6.5 installation guide, it requires at least one of the following host applications be installed: Microsoft Word, Microsoft Excel, Adobe Acrobat, Adobe Reader, Adobe Form Designer and Client, Adobe FormFlow Form Designer with Filler, PureEdge ICS Designer and Viewer, Lotus Forms Designer and Viewer, and Microsoft InfoPath. HOWEVER, Adobe Reader (9.5 or below) seems to be the program it is looking for specifically
Solution 3-1: Install eSign 6.6 instead of ApproveIt 6.5
Solution 3-2: You [more than likely] have Adobe Reader X (10) or XI (11) installed. You'll need to uninstall it, then download and install Adobe Reader 9.5or below. Once you have installed Adobe Reader 9.5 or 9.3, install ApproveIt. After you have installed ApproveIt [and you've verified you can sign a form], you may reinstall the Adobe Reader X or XI.
NOTE forWindows 8 users: You'll need to uninstall Adobe XI, download 9.3 from here or here, then upgrade back to Adobe XI after you have successfully signed a form.
NOTE for Adobe Acrobat Professional X users: If you have this program installed, you only need to uninstall the Adobe Reader X [or XI] and install the Adobe Reader 9.5 [or 9.3] (see links above), then follow Solution 3-1 above.
Solution 3-3 (Only use after installing ApproveIt): Modify the value of: HKEY_CURRENT_USERSoftwareSilanisApproveItSigningRealTimeTopazLib
Change the value from 1 to 0 for 'EnableDevice' by double clicking it, typing in 0, then clicking OK.
Here's How (Windows XP, Vista, & 7): Click Start (or Windows key + R), type: Regedit.exe in the white search box. Please back up your registry before proceeding. Instructions: http://windowsxp.mvps.org/registry.htm
Here's How (Windows 8): Click Windows key + R, (or move your mouse to the lower right corner of your screen and when the menu pops up, select Search), type 'regedt32.exe' when it pops up in the left top of screen, click it.
Problem 4: 'Unable to complete the signature; the private key cannot be found or is inaccessible on the system. Make sure you are using a good signing key or the right smart card.'
Solution 4-1: Close Pure Edge or Lotus Forms, restart computer, try again
Solution 4-2: Double check that you did install all software correctly. You can use the notes page to verify. Particularly ActivClient
Solution 4-3: Visit: Problem 10 below for another possible solution.
Solution 4-4: You might have old certificates on the computer. Follow slide 14 in this guide to clear them.
Problem 5: 'Unable to complete operation; an ApproveIt component (ApproveIt FrameworkResource.dll) is missing or corrupt'
Solution 5-1: Restart the computer. Could take 3-4 times.
Solution 5-2: Verify installation of ApproveIt, you may need to uninstall, restart computer, then reinstall.
Problem 6: Receive 'ApproveIt - Error [message not found]: [message not found] [message not found],' followed by 'Unable to access Private Key', then 'The signature could not be created because the private key of the certificate could not be accessed.'
Information: This error is caused by the virtualization setting of the masqform process.
Solution 6-1:
Step 1: Open Lotus Forms Viewer (not a specific form).
Step 2: Start task manager
Step 3:
Step 4: Try reopening your form now.
Solution 6-2: Your current profile could be corrupt. Here's how to build a new profile: If on a Government Computer, look below
Creating a new profile when you have Windows 8:
Follow this page: http://windows.microsoft.com/en-us/windows/create-user-account#create-user-account=windows-8
Creating a new profile when you have Windows Vista or Windows 7:
1. Click Add or remove user accounts under User Accounts (Vista), or User Accounts and Family Safety (7) in Control Panel
2. Click Create a new account under the big box
3. Type in the new username of the new account name box
4. Click Administrator, then Create Account
5. Logoff your current user account
6. Logon with the new username and try again
Screen shot view of steps above via Bleepingcomputer.com
Video of steps above via Dummies.com
Microsoft page for assistance after creating new profile
Creating a new profile when you have Windows XP:
1. Double click User accounts in Control Panel
2. Select Create a new account
3. Type in the name of the new account, select next
4. Select Computer Administrator and Create Account
Screen shot view of steps above via Dummies.com
Microsoft page for assistance after creating new profile
Since you made your new logon as an administrator, you should have no problem accessing your old files.
This is a fix for Government Computers.
1. Logon as an administrator, go to Control Panel - User Accounts, Turn off UAC (this was tested on a Government owned Vista computer)
2. Latest instructions that can Solution this problem
3. Original instructions that can Solution this problem
4. ****MUST DO THIS STEP**** after renaming the old profile.
Run regedit and go to HKLMSOFTWAREMicrosoftWindows NTCurrentVersionProfileList and delete the SID key for the corrupt profile. Easiest way to find the correct SID is to search from the 'ProfileList' key for the directory mentioned in %USERPROFILE% in step #1.
After you do this, make sure you rename the users' profile under C:Users<user name>
Then have the user login to verify user can sign the document.
Solution 6-3: Uninstall Approve It, restart computer, Install ApproveIt 5.7.3 Follow instructions below.PLEASE NOTE: ApproveIt 6.1, 6.5, & 6.6 are the only versions that will work with Lotus Forms.
Problem 7: You get prompted to enter a serial number when installing ApproveIt 5.7.3
Solution 7: This means you attempted to install using the setup file from within the zipped file. You need to extract the zip file, then run the setup from inside the new folder it just created. Read installation Instructionsbelow.
Problem 8: You get prompted to enter a serial number when installing ApproveIt 5.9
Solution 8: Use the file titled: AGMInst.exe (It will be an icon that looks like a star) instead of the setup (bootstrap) file
Problem 8a: You get prompted to enter a serial number when installing eSign 6.6 or ApproveIt 6.5
Solution 8a: Use the file titled: Setup.exe (It will be an 82 KB size file). If the file size is 30KB, it means you have not extracted the .zip file yet. Read more at: https://chess.army.mil/CMS/A/Silanis_FAQs
Problem 9: Approve It tab does not show up in Microsoft Word 2007 or Excel 2007.
Solution for Word: Look at this PDF
Solution for Excel: Look at this PDF
Problem 9a: ApproveIt tab does not show up in Microsoft Word or Excel 2010, or 2013.
Solution 9a-1: Follow the guidance on this page
Solution 9a-2: Wait for the Army to replace ApproveIt with e-Sign. Read the 21 September 2011 press release.
Problem 10: Receive ePersona message when trying to sign a form in Pure Edge or Lotus Forms with Approve It?
Solution 10: Close PureEdge or Lotus Forms (if it is open). Go to: C:Program FilesApproveIt, or C:Program Files (x86)ApproveIt, double-click the icon that looks like a wrench titled: 'AprvCfg.exe'. On the Signature Method tab, make sure the radio button is on the bottom choice - 'Sign using a certificate or smart card.' Don't change anything else. Click Apply, then OK
After you click 'Sign' in PureEdge or Lotus Forms, it may take a few minutes for the list of certificates to pop up. Be patient. Choose the certificate that doesn't have Email in it, and put a check in the box that says 'Use this certificate as default' (if this is your personal computer).
Problem 11: Receive 'The signature could not be created because the Private key of the certificate could not be accessed.'
Solution 11: Look here for the answer
Problem 12: When attempting to install Approve It on a computer with Office 2007, receive error message 'Microsoft Word has encountered a problem and needs to close. We are sorry for the inconvenience.'
Solution 12: Look here for the answer
Problem 13: Official Installation guide for ApproveIt 6.5 | Installation guide for ApproveIt 6.1
Problem 14: Receive: 'chilkatlog: unzippedfile: failed to read compressed data. failed to find file marker' when attempting to install Approve It 6.1.
Solution 14: Install Approve It 5.7.3. Follow instructions below.PLEASE NOTE: ApproveIt 6.1 & 6.5 are the only versions that will work with Lotus Forms.
Problem 15: Approve It tab does not show up in Microsoft Word 2010.
Solution 15: See 9a above
Problem 16: When attempting to open the ApproveIt configuration Manager [ApproveIt 6.1 government computer], you receive: 'Runtime Error! Program: C:Program FilesApproveItAprvCfg.exe This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information.'
Solution 16: Navigate to: C:Program FilesApproveIt, Right click ApprvCfg.exe, select Properties, select the Compatibility (tab), check box 'Run this program as an administrator.'
Problem 17: When clicking the login button trying to access CHESS [with your AKO Registered CAC] to download ApproveIt you are prompted for your certificate. You select it and enter your PIN, it then states 'you will be logged in shortly.' Within a few moments, you are returned to the login page, without being logged in.
Solution 17: Follow guidance in this PDF, or watch this video
Problem 18: When attempting to sign a form, you receive:'Unable to sign using a certificate; there are no valid signing certificates available on the system. Please select a different signing method and try again. The Signature could not be created because the private key of the certificate could not be accessed.'
Solution 18-1:Latest DoD Certificates are needed download them here
Solution 18-2: Make sure you have restarted the computer after installing ApproveIt
Solution 18-3: Make sure ActivClient is installed (unless using Windows 7 or 8 with a 144 or 5.5 CAC)
Solution 18-4: Verify your CAC is not expired. If so, you will need to visit an ID card office to get a new CAC.
Solution 18-5: Follow this guide for modifying the ApproveIt install
Solution 18-6: Create a new profile and install Lotus Forms and eSign from the new profile.
Solution 18-7: Uninstall ApproveIt 5.8.2, 5.9, or 6.1, restart computer, Install ApproveIt 5.7.3. (Only on XP and Vista systems) Follow instructions below.PLEASE NOTE: ApproveIt 6.1 & 6.5 are the only versions that will work with Lotus Forms.
Problem 19: Receive: 'Unable to complete operation; an ApproveIt component (ApproveItFrameworkResource.dll) is missing or corrupt. Please repair your ApproveIt Installation and try again.'
Information / Solution 19: This problem occurs for users who's ApproveIT has been updated or installed by the system administrator but never opened it up. When the standard user attempts to utilize the program, they get the error. To check if this is the case, have an administrator open the program via the 'Run as...' prompt so they can log into the administrator account and open the program, accept the license terms and agreements, and fully use the program.
Problem 20 (Fix for Government computer): After installing Adobe Acrobat Reader X, users are not able digitally sign forms in Lotus Forms
Information / Solution 20: When Acrobat Reader X is installed, you may not be able to digitally sign in Lotus Forms. It seems that when you click on 'Click to Approve' and the Digital Signature Viewer pops up; after you hit the 'Sign' button the 'ApproveIt-Certificate Selection' window does not pop up, the application just hangs indefinitely and so one cannot digitally sign.
Modify the value of:
HKEY_CURRENT_USERSoftwareSilanisApproveItSigningRealTimeTopazLib
To disable it the value should be 0.
It has only effected a small percentage of those computers that received the Acrobat X push and was hard to replicate the issue. This solution fixed both Vista 32bit and Win7 64bit systems that were imaged w/ AGM disks that had the problem. This fix also worked when rights elevation, uninstall / reinstall, libeay32.dll and se_cryptoapi.ifx fixes did not resolve the issue.
Problem 21: Receive '/wps/PA_AJAXWeb/javascript/eim_function.js' when attempting to upload a form or search for a form in myForms.
Information: Your computer has Internet Explorer 8 or 9 installed, Government websites are not ready for IE 8 or 9 yet.
Solution 21-1: Enable 'Compatibility Mode' (the little 'torn-page'-looking icon on the right of your address bar). Click that (so it turns form white to blue), and the search window & upload window should work.
Solution 21-2: Go back to Internet Explorer 8. Instructions and other tidbits of information can be found in this guide.
Problem 22: Receive: 'Could not initialize installation. C:~GLC1034.TMP' when trying to install ApproveIt.
Solution 22: Create a new profile on your computer and install ApproveIt from the new profile.
CAC / CAC READER
Problem 1: The CAC reader driver did not automatically install correctly
Solution 1-1: Go to Device Manager (Instructions are on the CACDrivers page), scroll down to Smart Card readers, right click the CAC reader that shows up below Smart Card Readers. It may also show up under unknown devices. Select Uninstall. It will give you a message. Once it is uninstalled, unplug the reader from your computer. Wait a few moments, then plug it back in. It 'should start to install itself. If that doesn't work, keep reading for other ideas below.
Solution 1-2: If you have an SCR-331 CAC Reader and using Vista, Windows 7, or 8, and are still having problems getting the reader to be recognized by ActivClient, or your CAC reader shows up as STCII Smart Card Reader follow these instructions for updating the firmware on the reader.
Problem 2: Receive quick beep when you start your computer with the CAC reader plugged in, or when plugging in your CAC reader.
Solution 2: Change the following registry key to 0 from 1 by going to Start, Run, type in 'Regedit' (without the quotes) and navigate to: HKEY_LOCAL_MACHINESoftwareActivCardActiveClientNotificationNoReaderWarningEnable
Problem 3: Card does not read consistently
Solution 3-1: Try cleaning the gold portion of the CAC with a clean pencil eraser.
Solution 3-2: Your card could be wearing out. It may be time to get a new one. Click here to find an ID card office.
Solution 3-3: Your reader may be showing signs of wear. Click here to find a new one.
Problem 4: CAC reader is seen in Device Manager in Windows but not by ACTIVCLIENT software (Error 1920 on Windows 8):
Information: Windows runs the Smart Card service as a local service and without it, smart cards will not work. Another symptom of this is when the Card Icon does not show on the logon screen (Government computer).
Solution 4-1: Make sure the ActivIdentity Shared Store Service is started. Here's how: Click Start, type in: services.msc in the search box, double click on: ActivIdentity Shared Store Service. Make sure the Startup type is set to Automatic and if not started, select Start.
Solution 4-2: Run this file to fix your Smart Card service. If you have problems with the other file, try this one. NOTE: This will not work on Windows 8.1
Solution 4-3:Log on as the local administrator. Go to Start, Run, type in: services.msc, Verify that both ActivClient middleware and SmartCard services are stopped. (Windows 8 users hover your mouse in the lower right corner of your screen to get the Charms bar to show up. Click Search, type in 'regedit.exe' then click it with your mouse.)
From the Run line (XP) Search programs and files (Windows Vista & 7): type: Regedit
Navigate to 'HKLMSoftwareMicrosoftCryptography' Right click on the Calais folder then choose 'Permissions'.
Verify 'LOCAL SERVICE' exists, if it doesn't, click 'ADD'
In the large white box type 'LOCAL SERVICE' IF your computer is part of a domain, you will need to add your computer name before 'LOCAL SERVICE'
Click Check Names, then OK.
Select Local Service -> Click Advanced (button) -> in the Permissions (tab) select LOCAL SERVICE -> and click Edit. (Windows 8 / 8.1 users will need to click 'Show advanced permissions' to see these).
Mark the following with Allow:
Query Value
Set Value
Create Subkey
Enumerate Subkeys
Notify
Delete
Read Control
Close all open windows
Open Services.msc again, Start smart Card Service, Start ActivClient middleware Service.
CAC Reader 'should' now be showing in ActivClient.
Solution 4-4: Follow these instructions for modifying your registry to make the Smart Card service start.
Problem 5: How can I use 2 CAC readers on my computer with ActivClient?
Solution 5: Once the second CAC reader is physically functioning: Double click the ActivClient icon (down by your clock), select File, Use Reader, Select the other reader. Go to Tools, Advanced, Make Certificates Available to Windows. You should be able utilize either CAC on your computer now.
** Here is a presentation showing how to do this.
Problem 5a: How can I use 2 CAC readers on my Windows 7 or 8 computer without ActivClient?
Solution 5a: Plug it in and use it
Problem 6: How do I get the message to stop coming up that says my CAC reader isn't plugged in? I get a notice every time I start my computer that my reader isn't installed. I own a laptop and don't plug in the reader unless I need it.
Solution 6: Go to Start, All Programs, ActivIdentity, and click on Advanced Configuration Manager. Select Notifications Management. Double click Display No Smart Card Reader Alert, it will automatically change from a YES to a NO. ** Here are Visual steps showing you how to do this.
Problem 7: Receive 'An internal error has been encountered (the specified smart card is no more available for use)' when trying to access CAC using ActivClient 6.1 on computers with built in CAC reader and trying to use an external at the same time.
Solution 7-1: Upgrade to ActivClient 6.2, Oberthur ID One 128 v5.5 Dual card holders may need a further update to ActivClient 6.2
Solution 7-2: The built in reader is taking priority over the external. Unplug the external and try the internal reader. On some computers (Gateway), the CAC has to go in upside down.
Problem 8: Receiving message 'No Card Reader Found' when using RDP (Remote Desktop Protocol) between 2 computers.
Solution 8: ActivClient is designed to only work with the card reader installed on the VIEWING computer. Users MUST install the card reader & driver to the computer they are sitting at, not to the target computer (where ActivClient is installed). If just configuring another computer with reader and software it should be done FROM THE CONSOLE of that machine.
Problem 9: How do I change my CAC PIN?
Solution 9-1: If you know your current PIN...You have 3 options:
- With ActivClient installed right click the ActivClient icon (down by your clock), select PIN Change Tool. Enter your current PIN, then your new PIN twice, hit Next.
- If you are using the Windows 7 built in Smart card utility follow this guidance.
- Visit an ID card office
Solution 9-2: If you don't know your current PIN, your only option is to visit an ID card office
Problem 1: Can I use DTS with my Mac or Linux computer?
Solution 1: Yes you can. The current version of DBSign called DBSign Universal Web Signer is available when accessing the DTS website and will allow all computer platforms to use it. NOTE: Look at #2 below and here for troubleshooting tips.
NOTE specifically for Mac users: You will get a blank page when trying to navigate to your Authorizations or Vouchers until you do the following: Click the word Safari, uncheck Block Pop-Up windows
Problem 2: When accessing DTS for the first time, you 'may' be told to install JRE 1.5.
Solution 2: Windows users can download JRE from: http://www.java.com I personally recommend you uninstall Java before updating it. It just seems to work better.
NOTE for Windows users: One person informed me that he was able to uninstall JRE after installing the DBSign on his Windows computer, and DTS still worked. He was having problems where another window would pop up and state that it was Done, never actually letting him into DTS.
NOTE for Mac users: When you first get to the page telling you that you need Java, don't be tempted to click the link. Just let it sit there and it will install it automatically.
Problem 3: Unable to access DTS (Error message 'There has been a problem with Login. Problem getting security information from your computer. Please contact your DTS site administrator for assistance.'), or DTS stalls at DBsign: logging into cryptographic libraries....
Solution 3-1: Follow the guidance in this PDF
Solution 3-2: In Internet Explorer: Go to Tools, Internet Options, Security (tab), Click on Trusted Sites (green checkmark), Click Sites (button), in the Add this website to the zone: type in '*.osd.mil' after unchecking 'Require Server Verification', click add (button), select close, then click OK
Solution 3-3: Go to: Tools, Internet Options, Security (tab), single click on Internet (globe). Uncheck the box for Enable Protected Mode (down near Custom level...) button.
Solution 3-4: UninstallInternet Explorer 9 to go back to Internet Explorer 8
Problem 4:DTS screen flashes up, then disappears after you hit login.
Solution 4:Check your pop-up blocker(s), they are more than likely 'killing' the page that is attempting to pop up. DTS loves pop ups. :)
Problem 5: DTS will not allow you to get past the logon screen in Vista or Windows 7 (64 bit).
Solution 5: Make sure you are using the (32 bit) Internet Explorer. If you don't see it in your list of programs, navigate to: C:Program Files (x86)Internet Explorer double click on iexplore.exe (it will be approximately 622KB in size). You can also copy / create a shortcut for this program to your desktop.
Problem 6: DTS error: 'Your user account could not be found or is locked, or your certificate has been revoked. Please contact your local Registration Authority (LRA) or Verifying Official (VO) to obtain a new PKI certificate or to find additional information.'
Solution 6-1: Your account is more than likely 'in between' your old and your new unit (which means you are not attached to any units). Contact your current unit's DTS person and have them 'Receive' you.
Solution 6-2: A revoked certificate means you'll need to visit an ID card office to get a new CAC.
Problem 7: When attempting to access DTS with Internet Explorer 9 installed, you receive a message that IE has closed the tab. Basically, you can't logon to DTS.
Solution 7: Uninstall IE9 and go back to IE8 Here's How Don't forget to hide the update: Vista, Windows 7, or XP (video)
Problem 8: DTS Login Error: 'There has been a problem with your login. Your user account could not be found or is locked. Please contact your DTS site administrator for assistance.'
Solution 8-1: Your account is more than likely 'in between' your old and your new unit (which means you are not attached to any units). Contact your current unit's DTS person and have them 'Receive' you.
Problem 9: DTS Login Error: There has been a problem with your login. Your certificate is invalid or expired. Please contact your local Registration Authority (LRA) or Verifying Official (VO) to obtain a new certificate or CAC card. DBSign code: 112'
Solution 9-1: If you were recently issued a new CAC, you might have selected the old certificate, rather than the new one. Close the web browser, remove CAC from reader. Reinsert CAC, then attempt to access DTS again. You can clear your old certs by following slide 14 of this guide.
Solution 9-2: Your certificates are expired on your CAC. You need to get a new CAC. This website will help you find the nearest one to your location.
Problem 10: When accessing DTS
Solution 10: Navigate to the 32bit java control panel
Problem 11: When attempting to access DTS
Solution 11-1: This means your CAC is expired, or the certificates have been revoked for some reason. Your only option is to get a new CAC. Visit the nearest ID card office to get your card replaced.
EES (Evaluation Entry System)
All Evaluation Entry System problems and Solutions are on a separate page.
ERROR CODES (BY THE NUMBER)
Error Codes (Specific Numbers) problems and Solutions are located on their own page.
FIREFOX
Firefox problems and Solutions are located on their own page.
FORMS (formerly known as MyForms)
Problem 1: When I open a form via Forms, it is coming up in all gibberish.
Solution 1-1: If using IE 8, 9,IE 10 See here for instructions for using Compatibility View
Solution 1-2: If using Firefox, Chrome, Safari, or Opera you will need to right click the 'sample form' link and select Save Link As / Download Linked File As / Save to Download Folder. Save it to your desktop, then test from your desktop. If your computer downloads it as a .txt file, right click it and change it to .xfdl
Problem 2: Why do my Forms use check marks instead of the correct X's on some OER or NCOERs and generate an error message.
Solution 2: To fix / change this, Click Start, All Programs, IBM Lotus Forms, Lotus Forms Viewer (or just open up any form you have, (sample form)). With the Viewer open Click File, Preference, Advanced settings and select the Use 'X' style check boxes, click apply, and then OK.
Problem 3: Cannot upload forms to Forms while using Vista or Windows 7
Solution 3-1: If using IE 8, 9,IE 10 See here for instructions for using Compatibility View
NOTE: The Solution for this problem is from the Army Publishing Directorate (APD) (This means I have not had any success with it, but it 'might' work for you).
Information: Make sure you have the current Lotus version and not the earlier AGM version. You can verify this by going to C:Programs FilesIBMLotus FormsViewer3.5 Right click on masqform, click properties, click the Details tab to verify the version. File version should end in .123.
NOTE: 64 bit Windows will select Program Files (x86) instead of Program Files
If you have the older version, look at the Lotus Forms page to download the newer version.
If yours is the correct version, please try the ideas below:
Solution 3-2: In Internet Explorer, Go to tools, Internet options, Security (tab)
-Click on trusted sites and change the default level to low.
-Add *.army.mil to the trusted sites.
-Click Apply.
-Click on the Privacy Icon and change the default level to low.
-Click on the Internet Icon and change the default level to medium.
-Click Apply
Clear the cache by doing the following in Internet Explorer:
-Click on Tools, Internet Options, on the General (tab). Click the Delete... (button) under the Browsing history section. Verify the Temporary Internet Files, and Cookies are checked. Click the Delete button.
-Log out of AKO and close all your Internet Explorer windows.
-Open Internet Explorer and log back into AKO.
-Please try to upload the form again
***Note: APD recommends that you return to your previous IE settings after conducting your business on My Forms. The cause of having to do the above steps is in result to your OS build being a deviation to the official AGM standard build.***
Solution 3-3: Uncheck the SSL2.0 setting under Internet Options, Advanced (tab)
Solution 3-4: Open Internet Explorer, Tools, Internet Options, Advanced Tab, Under security scroll to Allow Active Content from CD to run on My computer and uncheck it. Close all internet windows and log in again and attempt to save.
.
Solution 3-5:
Problem 4: Unable to save forms back to Forms repository.
Solution 4: Follow these instructions
Problem 5: When I try to route forms through the FCMP one of two things happen: 1. All buttons are grayed out except for 'manage favs' so I can't route. 2. I can form a route slip and search for routed user, but when I click the check box next to the individual I'm routing to nothing happens when I click add as original/add to email (the name will not pop up above the comments box to check).
Solution 5:If using IE 8, 9,IE 10 see here for instructions
NOTE: This may have to be done anytime you open up FCMP in any new windows.
INTERNET EXPLORER
Problem 1: Receive: 'There is a problem with this website security certificate.' Your options are listed as 'Click here to close this webpage' or 'Continue to this website' where it states it is not recommended.
Solution 1:Latest DoD Certificates are needed, instructions where you can download and install them are here
Problem 2: Internet Explorer browser closes (crashes) when attempting to register your CAC on AKO -or- receive 'The server akocac.us.army.mil at cac-reg requires a username and password.'
NOTE: The need to register your CAC with AKO was abolished on 1 May 2011.
Solution 2-1: (Vista specific, may work with IE 6, (does work with IE 8)) Go to Tools, Internet Options, Content, Certificates, Personal, Advanced, check the box that says 'Client Authentication.'
NOTE: A restart of Internet Explorer is required to allow this change to take place. You don't have to restart the computer, just Internet Explorer.
Solution 2-2: Go to: Tools, Internet Options, Security tab, click on the Internet Security option. Uncheck the box for Enable Protected Mode.
Solution 2-3: Close browser, reopen it, clear your cache and temporary internet files. Close browser, restart, try again.
Problem 3: Can not save file in Internet Explorer while using Forms
Solution 3: Follow these instructions
Problem 4: Receive the message: 'You do not have Permission to Access this resource.'
Solution 4-1: Verify that you do have all needed software installed, Visit the Notes page to double check what you installed already.
Solution 4-2: Verify that you are using Internet Explorer when attempting to register your CAC. If you are using Firefox, please look at the Firefox page for the needed CAC reader configuration.
Solution 4-3: If you receive this message when trying to download ActivClient from AKO, you need to know that the ActivClient download links on AKO are for Army personnel only. If your account is listed as an Army volunteer, Guest, family member, retired, or other military branch, you will not be able to download the file from AKO. Other military branches look here to find where you can download ActivClient from your respective branch.
Solution 4-4: Go to: https://www.us.army.mil from this link. Your AKO shortcut in your favorites could be outdated. Simply re add AKO to your favorites replacing your existing favorite.
Solution 4-5:Follow guidance in this PDF, or watch this video
Problem 5: CAC works to sign forms, but cannot access CAC enabled websites.
Solution 5-1: Use Internet Explorer for any websites that need to use your CAC (IF using Firefox).
Solution 5-2:Follow guidance in this PDF, or watch this video
Solution 5-3: If you insist on using Firefox, follow this guidance AFTER you get it working with Internet Explorer.
Problem 6: If you can access some websites with your CAC, but some don't work (e.g. AKO, the USMC MCNOSC site or the OWA for NMCI site)
Solution 6-1: Click Tools, Internet Options, Advanced (tab). Scroll to the bottom. Make sure SSL 3.0 & TLS 1.0 are both checked, and SSL 2.0 NOT checked. In Windows 7 & 8 also make sure TLS 1.1 & 1.2 are unchecked.
Solution 6-2: Follow guidance in this PDF, or watch this video
Problem 7: Are you having problems accessing ATAAPS (Automated Time Attendance and Production System)?
Information: Bob Ridenour at Fort Gordon figured this out: 'If you have the Common Policy cert
More Information: He has gotten rid of the problem locally, but has received emails from individuals outside of his organization who have the Common Policy
This image is what people clicked on and installed the Common Policy. Select No when you see it next time.
Solution 7-2: This guide shows other settings that should also be set in Internet Explorer
Problem 8: Air Force users receiving 'CA Not Recognized' error message when attempting to access the Air Force Portal
LOTUS FORMS
The ideas on this website are from regular people's experiences. I have been told by Army Publishing Directorate (APD) to send users to their help desk so they become aware of the problems with this program. 703-692-1306 / DSN: 312-222-1306, Webform, or usarmy.pentagon.hqda-apd.mbx.fcmp@mail.mil
If you are having problems accessing the CHESS website, contact theCHESS help desk at: peoeis.pdchess.helpdesk@us.army.mil or 888-232-4405 / 703-806-1019 / DSN: 312-656-1019 (Monday - Friday 0800-1700 EST).
Problem 1: Receive 'Error loading C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll' when attempting to install Lotus Forms.
Solution 1: Uninstall PureEdge Viewer (via Control Panel), Restart computer, then attempt Lotus Forms install again
Problem 2: Word Sign is GRAY after installing IBM Forms Viewer / Lotus Forms Viewer / Pure Edge Viewer
Solution 2-1: If you upgraded from Pure Edge Viewer and did not uninstall eSign / ApproveIt... Uninstall eSign / ApproveIt, restart computer, then install eSign / ApproveIt again. eSign / ApproveIt HAS to be installed AFTER all programs that you want to be able to digitally sign. These programs include: Office products, IBM Forms viewer, Lotus Forms, PureEdge, & Adobe Reader.
Solution 2-2: 64 bit systems IBM Forms Viewer 4.0: Copy and paste libeay32.dll from C:Program FilesApproveIt to the following folders:
C:Program Files(x86)IBMForms Viewer4.0extensions
and to
C:Program Files(x86)IBMForms Viewer4.0API80system
Solution 2-2a: 32 bit systems IBM Forms Viewer 4.0: Copy and paste libeay32.dll from C:Program FilesApproveIt to the following folders:
C:Program FilesIBMForms Viewer4.0extensions
and to
C:Program FilesIBMForms Viewer4.0API80system
Solution 2-2c: 32 bit systems Lotus Forms 3.5: Copy and paste libeay32.dll from C:Program FilesApproveIt to the following folders:
C:Program FilesIBMLotus FormsViewer3.5extensions
and to:
C:Program FilesIBMLotus FormsViewer3.5API76System
Solution 2-2d:64 bit systems Lotus Forms 3.5: Copy and paste libeay32.dll from C:Program Files(x86)ApproveIt to the following folders:
C:Program Files(x86)IBMLotus FormsViewer3.5extensions
and to:
C:Program Files(x86)IBMLotus FormsViewer3.5API76System
Solution 2-3: More ideas are located below
Problem 3: 'One or more signatures could not be verified' when opening up Lotus Forms
Solution 3-1: Latest DoD Certificates are needed
Solution 3-2: Verify you have ApproveIt installed
Solution 3-3: Restart your computer (if you have just installed eSign / ApproveIt)
Solution 3-4: 64 bit systems IBM Forms Viewer 4.0: Copy and paste libeay32.dll from C:Program FilesApproveIt to the following folders:
C:Program Files(x86)IBMForms Viewer4.0extensions
and to
C:Program Files(x86)IBMForms Viewer4.0API80system
Solution 3-4a: 32 bit systems IBM Forms Viewer 4.0: Copy and paste libeay32.dll from C:Program FilesApproveIt to the following folders:
C:Program FilesIBMForms Viewer4.0extensions
and to
C:Program FilesIBMForms Viewer4.0API80system
Solution 3-4b: 32 bit systems Lotus Forms 3.5: Copy and paste libeay32.dll from C:Program FilesApproveIt to the following folders:
C:Program FilesIBMLotus FormsViewer3.5extensions
and to:
C:Program FilesIBMLotus FormsViewer3.5API76System
Solution 3-4c:64 bit systems Lotus Forms 3.5: Copy and paste libeay32.dll from C:Program Files(x86)ApproveIt to the following folders:
C:Program Files(x86)IBMLotus FormsViewer3.5extensions
and to:
C:Program Files(x86)IBMLotus FormsViewer3.5API76System
Problem 4: Receive error message: 'Viewer : Printer Driver's EndPage() Failed at PRINT ERROR(.srcFormViewerPrintEngineCPrintEngine.cpp:1960 Fri Jan 29 15:27:50 2010):2780:8)'
Information: You are unable to print Lotus forms on HP printers when using the 64 bit version of Vista & Windows 7. This is a known problem that exists between IBM and HP, therefore it is 'way above our heads' to get fixed, however, here are a few ideas you can try and still cheaper than buying a new printer.
Solution 4-1: Download a program like DoPDF, print your form to the DoPDF 'printer,' then print the PDF to your printer
Solution 4-2: Open Pure Edge, Select Preferences, Printing options, Uncheck 'Print each page as a separate print job'
Solution 4-3: Print your form to the Microsoft XPS Document Writer 'printer,' then print the XPS to your printer
The below error and Solution was copied from the IBM Support Portal
Cac Card Reader Certificates For Mac
Problem 5: I see the following errors occur when opening Lotus® Forms:
20080109T154705.078-0600 3972 MEVRegisterErrorEx: Anthill_BuildBranch-API-Cannae-20050228Apisrcmasqutilmasqutil.c 10427 2079 118 22
20080109T154705.078-0600 3972 Viewer ReportAppMsg Title:'(null)' Msg:' at MUCreateDir(Anthill_BuildBranch-API-Cannae-20050228Apisrcmasqutilmasqutil.c:10427 Tue Apr 19 21:59:46 2005):3972:32 -> 22' TitleCode:7020 MsgCode:0
20080109T154706.515-0600 3972 MEVRegisterErrorEx: Anthill_BuildBranch-API-Cannae-20050228Apisrcmasqutilmasqutil.c 10508 2080 118 4294967295
20080109T154706.515-0600 3972 Viewer ReportAppMsg Title:'(null)' Msg:' at MUCreateAllDirs(Anthill_BuildBranch-API-Cannae-20050228Apisrcmasqutilmasqutil.c:10508 Tue Apr 19 21:59:46 2005):3972:32 -> -1' TitleCode:7020 MsgCode:0
Solution 5-1: To correct the problem, you must make sure the Viewer has read/write access to certain registry keys. The Viewer requires read/write access to the following paths/folders that are defined by the following registry keys:
1. HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersAppData
2. HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersPersonal
3. HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersDesktop
4. HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersCommon AppData
In addition, the Viewer requires read/write access to the following registry keys:
HKEY_CURRENT_USERSoftwareClasses
HKEY_CURRENT_USERSoftwarePureEdge
HKEY_CURRENT_USERControl PanelDesktop
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApp Paths
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsAccepted Documents
Microsoft® Internet Explorer uses the following key and its sub-keys in order to properly host the Viewer. Access to these keys is critical in allowing the Viewer to interact with Internet Explorer:
HKEY_CURRENT_USERSoftwareMicrosoft
Solution 5-2: If the instructions confuse you above, look at: http://support.microsoft.com/kb/886549
Problem 6: Receiving internal error when opening Lotus Forms. Details show 'Null pointer dereferenced (in function RegistryIterator::updateCurrent()@.srcRegistryProfile.cpp:line531) Stack trace (unavailable)
Solution 6-1: Run this batch file to fix your computer. If your web browser blocked the file, download this text file and remove the .txt at the end, then run.
Solution 6-2: The following steps need to be completed while the affected user is logged in. Since they are merely modifying the keys corresponding with their user hive, elevated privileges are not necessary.
1. Go to Start, Run, type in: Regedit
2. Find [HKEY_CURRENT_USERSoftwareVB and VBA Program Settings] and delete the entire key.
3. Click Start - Programs - ApproveIT Desktop - ApproveIT Configuration.
4. On the default Signature Method tab ensure the option 'Sign using a certificate or smart card' is checked.
5. Click OK and test.
Solution 6-2 Alternative: Save ApproveIt_Fixer.doc to your computer, then open it. You may see a blank screen with a Security Warning. Select the 'Enable Content' button. Now click on Fix ApproveIt!, select OK. Provided by CPT H
Solution 6-3: 64 bit systems IBM Forms Viewer 4.0: Copy and paste libeay32.dll from C:Program FilesApproveIt to the following folders:
C:Program Files(x86)IBMForms Viewer4.0extensions
and to
C:Program Files(x86)IBMForms Viewer4.0API80system
Solution 6-3a: 32 bit systems IBM Forms Viewer 4.0: Copy and paste libeay32.dll from C:Program FilesApproveIt to the following folders:
C:Program FilesIBMForms Viewer4.0extensions
and to
C:Program FilesIBMForms Viewer4.0API80system
Solution 6-3b: 32 bit systems Lotus Forms 3.5: Copy and paste libeay32.dll from C:Program FilesApproveIt to the following folders:
C:Program FilesIBMLotus FormsViewer3.5extensions
and to:
C:Program FilesIBMLotus FormsViewer3.5API76System
Solution 6-3c:64 bit systems Lotus Forms 3.5: Copy and paste libeay32.dll from C:Program Files(x86)ApproveIt to the following folders:
C:Program Files(x86)IBMLotus FormsViewer3.5extensions
and to:
C:Program Files(x86)IBMLotus FormsViewer3.5API76System
Solution 6-4: Go to Start, Run
Type 'regedit' (without the quotations)
Navigate to 'HKEY_CURRENT_USERSoftwareSilanis and delete it
Navigate to 'HKEY_CURRENT_USERSoftwareVB and VBA Program SettingsApproveIt MS Office' and delete it
Go to Start, All Programs, Startup, ApproveIt StartUp and click the ApproveIt Start up entry to start ApproveIt
Problem 7: When clicking the login button trying to access CHESS [with your CAC] to download Lotus forms you are prompted for your certificate. You select it and enter your PIN, it then states 'you will be logged in shortly.' Within a few moments, you are returned to the login page without being logged in.
Solution 7: Follow guidance in this PDF, or watch this video
Problem 8: If you are using Windows XP and you experience the Lotus Forms 'hanging' it may be because the Viewer is not able to find the Java Runtime or the Java Runtime is the wrong version needed for the Viewer.
Information: APD has worked with IBM on this issue and believe they have found the problem and the solution. It is posted at the following URL: https://www-304.ibm.com/support/docview.wss?uid=swg21474129
Problem 9: Receiving 'Bad length error' or 'Link-exception is thrown' when submitting a form
Solution 9-1: Visit IBM's support page for information about it. Basically, we have to wait for the next version to be released.
Solution 9-1a: Air Force members can read more at: http://www.e-publishing.af.mil/viewerdownload.asp
Problem 10: The check boxes have a green check inside rather than the black X.
Solution 10: Open Lotus Forms, click Preferences, (the icon with blue an red O with a +). Click Advanced Settings, Select the box next to: Use 'X' Style Check Boxes.
Problem 11: Receiving 'Internet Forms Error - The system cannot find the file specified. C:WindowsSystem32configsystem profile at location=2079(buildCypress.APIapisrcmasqutilmasqutil.c:10498 Wed Dec 3' several times when opening Lotus Forms in Windows 7 or this error in the image that follows:
Solution 11-1: Install Lotus Forms using compatibility mode for Windows Vista or XP
Solution 11-2: While it is true that the program does in fact need access to the keys you have listed in solution 5, the true problem is the necessary strings the program is looking for are not built in the shell folders key when a user logs on. We are not sure why the Lotus developers are still writing with the modules that look at that keys versus using the SHGetFolderPath or SHGetKnownFolderPath function instead. The following is what Julie has done in all cases and fixed the problem quickly.
BLUF: When the program opens, it looks for the actual entries in the shell folder registry key under the HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders key. If they are not there then you get the 10498 error and some funky language folders are created. I do not know why yet, why for some computers the strings are not being built off of what is indicated in the HKLM path but nonetheless all I did was export the key from a working machine, open it in notepad, replace all with the user name of the machine in error, and then import it to their computer. Once complete the program runs fine.
Solution 11-3: Visit: http://www.e-publishing.af.mil/viewerdownload.asp and download 'AFDPO Releases Updated IBM Lotus Viewer_DSig_3.5.1.333.exe' under Software Link:
Solution 11-4: If you have a Brother HL-2280DW wireless laser printer and have installed the Nuance software, they may be causing this error message. What worked for a few Soldier was to return it and get a different printer. They then had to restore their computers to an earlier time before the printer (and Nuance) software had been installed.
Problem 11a: Receiving 'Viewer : The system cannot find the file specified. C:Windowssystem32configsystemprofile at MUCreateDir(buildCypress.APIsrcmasqutilmasqutil.c:10498' when opening Lotus Forms in Windows 8
Solution 11a: See Solutions to Problem 5 above
Problem 12: Receive: 'An Error Has Occurred...' followed by 'The system cannot find the file specified.' Your only options are Close and Details >>.
Solution 12: Right click your taskbar, select Task Manager, look for Lotus Forms, you will probably 2 of them running. Right click one of them and select End Task. Now try it again.
Problem 13 (Fix for Government computer): After installing Adobe Acrobat Reader X, users are not able digitally sign forms in Lotus Forms
Information / Solution 13: When Acrobat Reader X is installed, you may not be able to digitally sign in Lotus Forms. It seems that when you click on 'Click to Approve' and the Digital Signature Viewer pops up; after you hit the 'Sign' button the 'ApproveIt-Certificate Selection' window does not pop up, the application just hangs indefinitely and so one cannot digitally sign.
Modify the value of:
HKEY_CURRENT_USERSoftwareSilanisApproveItSigningRealTimeTopazLib
To disable it the value should be 0.
It has only affected a small percentage of those computers that received the Acrobat X push and was hard to replicate the issue. This solution fixed both Vista 32bit and Win7 64bit systems that were imaged w/ AGM disks that had the problem. This fix also worked when rights elevation, uninstall / reinstall, libeay32.dll and se_cryptoapi.ifx fixes did not resolve the issue.
Problem 14: Receive the following error message after installing Lotus Forms 4.0.0.477: 'Your computer does not have a required file installed (Toolbar IFX). This will prevent you from saving the form back to the server. Please contact your help desk.
Solution 14: Follow guidance here
Problem 15: Receive the following error windows when trying to open a form. It can repeat several times, Lotus Forms won't close. Some people actually get Japanese characters.
Solutions 15: Download and save this text file titled: regkeys4_lotus_forms.txt file to your desktop.
Double click the .txt file and select Edit and choose Replace. Find and replace USER.NAME.HERE with your account name (this could be your AKO user ID if on a government computer, or your username on your home computer.
Save the file, then right click select Rename and remove the .txt replace it with .reg
Double click the regkeys4_lotus_forms.reg file
Now run Command Prompt as an administrator and paste this into the CMD Prompt: C:Program FilesIBMForms Viewer4.0>masqform.exe /register
or on a 64 bit version of Windows use this one:
C:Program Files (x86)IBMForms Viewer4.0>masqform.ext /register
MAC / APPLE SPECIFIC ISSUES
Problem 1: How do I use my CAC on my Mac
Solution 1: Follow instructions on this page
Problem 2: DTS page goes white after selecting Voucher or Authorization in DTS.
Solution 2: In Safari, select Safari, Uncheck Block Pop-Up Windows. You can also go to Safari, Preferences,Security, and uncheck Block pop-up windows under the Web content section.
Problem 3: When trying to view a website using Safari, you may see the alert message: 'Could not open the page. Too many redirects occurred trying to open (website name).' This may occur if you open a page that is redirected to open another page, which is then redirected to open the original page.
Information: This issue is typically caused by the website you're trying to view, not by Safari. Safari may be able to open the website at a later time, when the website's redirect problem has been corrected.
Occasionally, the issue might be caused by an interaction with Safari. The issue may also occur because redirect information has been retained beyond its useful life.
Solution 3: In some cases, resetting Safari may allow you to regain access to a website. To do that, follow these steps:
1. Choose Safari > Reset Safari.
2. Only check 'Remove all cookies' and 'Empty the Cache.'
3. Click Reset.
If the issue persists, sending feedback to the affected website may help. You can also send feedback to Apple by choosing Safari > Report Bugs to Apple.
OUTLOOK / MICROSOFT OFFICE / OWA
For DoD Enterprise Email users, please look here for specific support
Problem 1: After installing ActivClient and ApproveIt, Outlook users are unable to send email without selecting a certificate. You may also receive Invalid Certificate - Microsoft Outlook cannot sign or encrypt this message because there are no certificates which can be used to send from the e-mail address 'user@mail.com'.
or
Solution 1: Outlook 2010: Open Outlook, Click File, Options, Trust Center, Trust Center settings (button), E-mail Security, Uncheck the top 4 boxes
Outlook 2007: Open Outlook, Click Tools, Trust Center, E-mail Security, Uncheck the top 4 boxes
Outlook 2003: Open Outlook, click Tools, Options, Security tab, Uncheck the top 4 boxes
Problem 2: Receive ADTMSO.dll message after installing all needed software on Vista Premium.
Solution 2: Purchase Vista Ultimate and upgrade your Premium (I know this seems like an expensive option, but it did work for a Soldier in New York).
Problem 3: After installing ActivClient and opening Outlook, Receive error message: 'An extension file failed to initialize. Can't open the file: extend.dat'
You need to first be able to view hidden files (here's how):
- XP: Double click My Computer, once open, click on Tools (in the bar at the top), Folder Options, View tab, scroll down to Hidden files and folders, click the little circle next to Show hidden files and folders.
- Vista & 7: Control Panel (classic view), select Folder Options, click the View tab, scroll down to Hidden files and folders, click the little circle next to Show hidden files and folders.
- Vista & 7: Control Panel (Control Panel Home), select Additional Options, Appearance and Personalization, Folder Options, click the View tab, scroll down to Hidden files and folders, click the little circle next to Show hidden files and folders.
Solution 3: Make sure Outlook is closed, rename extend.dat to extend.bak, restart Outlook
- XP users, go to: C:Documents and Settings<userid>Local SettingsApplication DataMicrosoftOutlook
- Vista & 7 users, go to: C:users<userid>AppDataLocalMicrosoftOutlook
Problem 4: When using your Organization's OWA 2003 (Outlook Web Access) from home you cannot see the email in your inbox.
Solution 4-1: Go to Options, scroll down to Email Security, click on Download to download the S/MIME control
Solution 4-2: Make sure you are not automatically downloading your email at your office to your local hard drive. When you do this it removes the email from the server, therefore you cannot see it via OWA.
Problem 5: I Can't view Encrypted emails in Outlook Web Access / App
Solution 5-1: Make sure you have the S/MIME control installed.
NOTE: This is only available in Internet Explorer (32 bit). It will NOT work with the 64 bit version, on a Mac, or any other web browser.
NOTE2: Internet Explorer 10 & 11 runs in 32 bit mode by default, so, this should not be an issue. You would have to select 'Enable 64-bit processes for Enhanced Protected Mode' to actually run in 64 bit mode. More information can be read here.
Solution 5-2 (OWA 2003): Go to Options, scroll down to Email Security, click on Download to download the S/MIME control. You also need to have ActivClient installed on your computer. Unless you are using the Windows 7 Smart Card service with your PIV II CAC, then you won't need ActivClient.
Solution 5-3 (OWA 2010): Click Options, See All options..., Settings, S/MIME, click on Install the S/MIME control
NOTE3: You will not see S/MIME control in IE 11 until you first add 'mail.mil' [or any other websites that are not working] to your 'Compatibility View Settings' by following slide 19 in this guide.
Solution 5-4: If you have recently received a new CAC, follow along with this guide (CAC required link) explaining how to recover your old CAC certificate(s). NOTE: You HAVE to be on the military unclassified network to access the certificate recovery websites, which means you cannot access the links from your home computer.
Problem 6: How do I access my encrypted email / files once I receive a new CAC?
Solution 6: Emails & Files- Follow along with this guide explaining how to complete this process. You will need to logon to the server with your current CAC non email certificate(this is what will authenticate you as you).
Problem 7: ActivClient is prompting for a smart card (5 times) when opening Windows Mail
Solution 7-1: Open ActivClient, go to Tools, Advanced, Configuration and change 'Remove certificates from Windows on Smart Card removal' from 'No' to 'Yes.'
Solution 7-2: This can also happen when trying to use the Native Windows 7 smart card program. Using ActivClient will not cause this problem (other than Solution 7 immediately above).
Problem 8: Now that I have received a new CAC, how do I encrypt emails again in Outlook? (Government computers only)
Solution 8: You need to publish your new CAC certificates to the Global Address List (GAL), here's how:
Outlook 2003: Tools, Options, Security (tab), Publish to GAL... (button)
Outlook 2007: Tools, Trust Center..., E-mail Security, Click on Publish to GAL...(button)
Outlook 2010: File (tab), Options, Trust Center, Trust Center Settings...(button), E-mail Security, Click on Publish to GAL...(button)
Outlook 2013: Click the 3 little dots (upper right corner of screen), File (tab), Options, Trust Center, Trust Center Settings...(button), E-mail Security, Click on Publish to GAL...(button)
Problem 9: Receive error message 'You do not have a valid certificate to encrypt to the following recipients....'
Cause: It is necessary to have a copy of the recipient’s public key to encrypt email messages.
Solution 9: 1) Have recipient send you a digitally signed email. Right click on their name in the from line and add them to your contacts. Click Save - Close. To send an encrypted email click on New - Mail Message. Create your message. Click To, and in the Select Names window drop-down list, click Contacts. Select the recipient’s email address from Contacts. On the message toolbar, Click Options - Security Settings, and select Encrypt message contents and attachments check box. Click OK - Close. Click Send.
2) Look up the recipient at https://dod411.gds.disa.mil and download their public key to your computer. Create a contact in your contacts list for them and add the certificate to it. Follow the steps above to send encrypted email.
Problem 10:Is there a way to adjust the size of the digital signature when signing in Word 2003 or 2007 using my CAC? We are able to digitally sign, but the signature is so large it won't fit within the borders of a standard size memo.
Solution 10: Yes, follow this Word document
Problem 11: Receiving the following error message when trying to use OWA on Windows 7 (64bit) & (32bit): 'A digital ID that allows you to sign this message is missing.'
Solution 11-1: Add your OWA link to your Trusted Sites (this may be needed for Internet Explorer 9 users)
Here's How: Open Internet Explorer, Go to Tools, Internet Options, Security (tab), Trusted Sites (green checkmark), Sites (button), Type your entire OWA web address into the Add this website to the zone (box) Example: https://web.mail.mil Other OWA site links can be found on the OWA page.
Solution 11-2: Install the S/MIME from the options section in your OWA client (see #5 above). If you have problems installing the S/MIME check to make sure that 'Do not save encrypted pages to disk' is unchecked under Tools, Advanced (tab).
NOTE: The S/MIME will ONLY work with the 32 bit version of Internet Explorer. It is not compatible with the 64 bit version.
Problem 12: You want to be able to Digitally Sign or Encrypt emails with Outlook when using AKO via IMAP, but you can't find where to add the buttons.
Solution 12: When composing a new email, click on the Options tab and you will see Encrypt and Sign
Problem 13: Users are having long load times when receiving digitally signed or encrypted emails.
Solution 13: Follow guidance in this guide
Problem 14: Receive message: 'This message can't be decrypted. If you have a smart card-based digital ID, insert the card and try to open the message again' when using Outlook Web Access / App (OWA)
Solution 14: Make sure the email address that is listed on your CAC is also in your Exchange profile. NOTE: This is why Army users have AKO email address on our CACs, and that our AKO email address is also listed as an alias in our Exchange profile.
Here's how: To change your email address on your CAC. This will also add it to your CAC if you don't have an email address on your CAC as well.
Problem 15: ApproveIt tab does not show up in Microsoft Word 2007 or Excel 2007.
Solution 15-1 for Word: Follow this guide
Solution 15-1 for Excel: Follow this guide
Solution 15-2: Create a new profile on your computer and digitally sign the Word and Excel files from that profile
Problem 15a: ApproveIt tab does not show up in Microsoft Word or Excel 2010 or 2013. (Will NOT work with 64 bit version of Office) Here's how to find out which one you have installed.
Solution 15a-1: Follow the guidance on this page
Solution 15a-2: The wait is over for the Army to replace ApproveIt with e-Sign. Read the 21 September 2011 press release.
Problem 16: Receive 'HTTP/1.1 503 Service Unavailable' when attempting to access your email via OWA.
Information: This is caused when the Exchange server is down, or having problems.
Solution 16: Try accessing your email at a later time
Problem 17: Receive: 'Cannot connect to Internet Directory Service (LDAP) server: directory.us.army.mil. Check your network connection or modify your Address Book settings.' Followed by 'The search cannot be completed. MAPI_E_CALL_FAILED' after setting up the AKO LDAP address book.
Solution 17-1:Latest DoD Certificates are needed
Solution 17-2: If you have changed your AKO password recently, you need to change it in your LDAP connector as well.
Problem 18: You are on one of the many RW#.army.mil OWA email servers and are having problems connecting to your email.
Solution 18: You may have been migrated to DoD Enterprise Email, follow links on the OWA specific page.
Problem 19:Air Force Users Only: Everything appears to be setup correctly, but Outlook Web Access (OWA) STILL prompts that the digital ID is missing when attempting to send signed/encrypted.Also, the user cannot read signed / encrypted messages.
Solution 19:According to Air Force Public Key Infrastructure (AF PKI), the email address found on the certificate must be also listed as a proxy SMTP address for the end user. With the advent of Email for Life (E4L), the e-mail address listed on the certificate is the E4L address.This e-mail address may not necessarily be listed on the user account.
(Background:With E4L, many Air Force users have a lifetime email address, @us.af.mil, and a regular e-mail address, @base.af.mil)This @us.af.mil exists at another location, and then forwards to the appropriate @base.af.mil address.This works decently well.However, in the case of signing messages with OWA S/MIME, that E4L address needs to be listed on the user's base account, or they won't be able to sign / encrypt email in their client.
According to AFPKI:
'Important Note: Suppression of Name Checking does not work with OWA S/MIME. In order for a user to send signed e-mail or receive encrypted e-mail, the e-mail address on their e-mail certificates must match either their primary network Simple Mail Transfer Protocol (SMTP) e-mail address or one of the proxy SMTP addresses for their e-mail account. Use of the proxy address is controlled through the OWA S/MIME Security Setting “CertMatchingDoNotUseProxies”, which by default allows the use of proxy addresses. The AF PKI SPO recommends the default for all of the OWA S/MIME Security Settings. Detailed descriptions of the available security settings can be found in Microsoft’s Exchange Server 2003 Message Security Guide available at: http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exmessec.mspx
In order to correct a case of e-mail mismatch, the Exchange administrator can add the e-mail address in the user's certificate to the list of user e-mail addresses, or a user can obtain new e-mail certificates either by returning to a DEERS / RAPIDS ID card issuance facility or accessing a User Maintenance Portal / Post-Issuance Portal (UMP/PIP) via their workstation.
UMP/PIP website: https://www.dmdc.osd.mil/self_service , select Replace Certificate to avoid going to a RAPIDS Site.
NOTE: You'll have to logon to the UMP/PIP site with your CAC. Visual steps
NOTE2: In my tests with Windows 7, it did NOT work with the Windows 7 built in Smart Card utility or with ActivClient installed. So, you will need to find a Windows Vista or XP computer with ActivClient installed.
Source: https://afpki.lackland.af.mil/html/kbdetail.cfm?id=343
Solution 20-1: Visit this website: https://www.dmdc.osd.mil/self_service, select Replace Certificate
NOTE: You have to logon to the site with your CAC. Visual steps or these steps
NOTE2: In my tests with Windows 7, it did NOT work with the Windows 7 built in Smart Card utility or with ActivClient installed. So, you will need to find a Windows Vista or XP computer with ActivClient installed.
An Air Force Major sent this to me: 'When I tried to access the CAC User Maintenance Portal on a Windows 7 computer, the Java failed; however, when I tried the same thing on my Windows 7 computer at work (.mil domain), Java still failed but I got a popup dialog that told me I had to use the 64-bit version of IE and Java.When I started a browser session with the 64-bit IE, I was able to get to the User Maintenance Portal just fine.'
Solution 20-2: You can also visit an ID card office
Cac Card Certificates Mac
Problem 21: Problems with mail.mil when using 64 bit AGM and 32 bit office 2007
Solution 21: Follow guidance in this PDF.
Problem 22: You are using OWA 2010, and do not like the conversation view...
.
Solution 22: Visit either of these links to see how to change it: http://kb.iu.edu/data/azwv.html, alternate link: http://oit2.utk.edu/helpdesk/kb/entry/1669/
Problem 23: How can I find out how much space I'm using in OWA 2010?
Solution 23: Hold your mouse over the root of your mailbox folder [Your name]. You 'may' need to click it
Problem 24: Outlook issue on a Government computer: I can select the certificates to digitally sign emails but when I click ok to make the changes made stay. I get an error telling me to insert a card into the reader. The card is there, it can be used to access military websites it's just not recognized by Outlook.
Solution 24: Make sure your email address is correct on your CAC.
Here's how: Open ActivClient, click on My Certificates, click the middle certificate. Make sure the email address there is correct. 'Most' Army users will have either their AKO or mail.mil email addresses in the email address block.
Fix: Look here problem 20 or here problem 24, or visit an ID card office
Problem 25: You see the following error message when using Outlook Web Access 2003 with Internet Explorer 10 (this affects both Windows 7 & 8 users)
Here is what it says:
Solution 25: Internet Explorer 10 is not compatible with Outlook Web Access 2003. You can use Compatibility view by clicking the little 'torn paper' icon in the web address line.
Problem 26: Receiving following message in OWA when trying to open an encrypted email message: 'This message can't be decrypted. If you have a smart card-based digital ID, insert the card and try to open the message again.'
You may be able to encrypt outgoing emails, but decrypting is your issue.
Solution 26: When the message appears, remove your CAC from the reader, reinsert it, select another email, and reselect the encrypted email. IE may ask again for your PIN and then it will decrypt the email so you can read it.
Problem 27: Web.mail.mil / OWA locking up when trying to delete a thread of email with Skype Click to Call (C2C) installed.
NOTE: You may have received an auto update to Skype on your Windows computer. This update comes with C2C. One person noticed the issue appear and also noticed that phone numbers in emails suddenly appeared in blue (hyperlinked) with a Skype symbol next to them.
Solution 27: Uninstall C2C and the issue with locking up OWA when deleting email threads went away.
Problem 28: When trying to send an email from Outlook on a Government computer, receive the following error message:
Solution 28-1 (All Computers): Remove CAC, then reinsert it Try sending your email again
Solution 28-2 (ActivClient installed Computers): Open ActivClient, right click My Certificates, select Make Certificates available to Windows. Try sending your email again
PURE EDGE VIEWER (replaced by LOTUS FORMS)
The ideas on this website are from my personal experience. I have been told by Army Publishing Directorate (APD) to send users to their help desk so they become aware of the problems with this program. 703-692-1306 / DSN: 312-222-1306, Webform, or usarmy.pentagon.hqda-apd.mbx.fcmp@mail.mil
If you are having problems accessing the CHESS website, contact theCHESS help desk at: peoeis.pdchess.helpdesk@us.army.mil or 888-232-4405 / 703-806-1019 / DSN: 312-656-1019 (Monday - Friday 0800-1700 EST).
Problem 1: The word Sign is 'GRAYED OUT' when attempting to digitally sign a Pure Edge form.
Solution 1: See answers in THE WORD SIGN IS GRAY section below.
Problem 2: 'One or more signatures could not be verified' when opening Pure Edge
Solution 2-1: Verify you have ApproveIt installed.
Solution 2-2: Restart your computer (if you have just installed ApproveIt)
Solution 2-3: 64 bit systems IBM Forms Viewer 4.0: Copy and paste libeay32.dll from C:Program FilesApproveIt to the following folders:
C:Program Files(x86)IBMForms Viewer4.0extensions
and to
C:Program Files(x86)IBMForms Viewer4.0API80system
Solution 2-3a: 32 bit systems IBM Forms Viewer 4.0: Copy and paste libeay32.dll from C:Program FilesApproveIt to the following folders:
C:Program FilesIBMForms Viewer4.0extensions
and to
C:Program FilesIBMForms Viewer4.0API80system
Solution 2-3b: 32 bit systems Lotus Forms 3.5: Copy and paste libeay32.dll from C:Program FilesApproveIt to the following folders:
C:Program FilesIBMLotus FormsViewer3.5extensions
and to:
C:Program FilesIBMLotus FormsViewer3.5API76System
Solution 2-3c:64 bit systems Lotus Forms 3.5: Copy and paste libeay32.dll from C:Program Files(x86)ApproveIt to the following folders:
C:Program Files(x86)IBMLotus FormsViewer3.5extensions
and to:
C:Program Files(x86)IBMLotus FormsViewer3.5API76System
Solution 2-4: Latest DoD Certificates are needed
Solution 2-5: Uninstall ApproveIt 5.8.2, 5.9, or 6.1, restart computer, Install ApproveIt 5.7.3. Follow instructions below.
Solution 2-6: The new Lotus Forms and ApproveIt 6.5 works very well on Vista and Windows 7. I would recommend you upgrade. If you are still using using XP, it does not work as well. Look at #4 immediately above
Problem 3: Digital Signature not loading
Solution 3-1: Visit here
Solution 3-2: Uninstall ApproveIt 5.8.2, 5.9, or 6.1, restart computer, Install ApproveIt 5.7.3. Follow instructions below.
PLEASE NOTE: ApproveIt 6.1 & 6.5 are the only versions that will work with Lotus Forms.
Problem 4: Receiving internal error when opening Pure Edge. Details show 'Null pointer dereferenced (in function RegistryIterator::updateCurrent()@.srcRegistryProfile.cpp:line531) Stack trace (unavailable)
Solution 4-1: Run this batch file to fix your computer. If IE blocked the file, download this text file and remove the .txt at the end, then run.
Solution 4-2: The following steps need to be completed while the affected user is logged in. Since they are merely modifying the keys corresponding with their user hive, elevated privileges are not necessary.
1. Go to Start, Run, type in: Regedit
2. Find [HKEY_CURRENT_USERSoftwareVB and VBA Program SettingsApproveIt MS Office] and delete the key.
3. Find [HKEY_CURRENT_USERSoftwareclassesApproveItDesignerAddIn] and delete the key.
4. Find [HKEY_CURRENT_USERSoftwareclassesCLSID{97A21885-E335-4164-AD1C-8A3BF0F003E9}] and delete the key.
5. Find [HKEY_CURRENT_USERSoftwareclassesCLSID{08E623D3-BEAD-4bd3-8401-EFF51FD754CE}] and delete the key.
6. Click Start - Programs - ApproveIT Desktop - ApproveIT Configuration.
7. On the default Signature Method tab ensure the option 'Sign using a certificate or smart card' is checked.
8. Click OK and test.
Solution 4-2 Alternative: Save ApproveIt_Fixer.doc to your computer, then open it. You may see a blank screen with a Security Warning. Select the 'Enable Content' button. Now click on Fix ApproveIt!, select OK. Provided by CPT H
Solution 4-3: Copy and paste libeay32.dll from C:Program FilesApproveIt to the following folders: C:Program FilesPureEdgeViewer6.5extensions and to: C:Program FilesPureEdgeViewer6.5API65SystemPDF with complete instructions
Solution 4-4: Go to Start, Run
Type 'regedit' (without the quotations)
Navigate to 'HKEY_CURRENT_USERSoftwareSilanis and delete it
Navigate to 'HKEY_CURRENT_USERSoftwareVB and VBA Program SettingsApproveIt MS Office' and delete it
Go to Start, All Programs, Startup, ApproveIt StartUp and click the ApproveIt Start up entry to start ApproveIt
Problem 5: 'Pure Edge Viewer has encountered a problem and needs to close. We are sorry for the inconvenience.'
Solution 5: Copy 'libeay32.dll' from the following location: 'C:Program FilesApproveIt'
Paste the files into both of the following locations: 'C:Program FilesPureEdgeViewer 6.5API65System' and 'C:Program FilesPureEdgeViewer 6.5extensions'
Reason: These files can get written over by some Microsoft Updates. Pure Edge cannot use the newer files that were installed by Microsoft.
Problem 6: Receive the following error 'Form API initialization Failed'
Solution 6-1: Reinstall Pure Edge
Solution 6-2:
1. Insure you close all errors that appear when launching a PureEdge form
2. Go to: C:windowssystem32 and double click 'fixmapi.exe'
NOTE: This file will not show anything, give it approximately 5-10 seconds to insure it completed
3. Attempt to open the PureEdge form again
Problem 7: Receive ePersona message when trying to sign a form in Pure Edge with Approve It.
Solution 7: Close PureEdge (if it is open). Go to: C:Program FilesApproveIt, double-click the icon that looks like a wrench titled: 'AprvCfg.exe'. On the Signature Method tab, make sure the radio button is on the bottom choice - 'Sign using a certificate or smart card.' Don't change anything else. Click Apply, then OK
After you click 'Sign' in PureEdge, it may take a few minutes for the list of certificates to pop up. Be patient. Choose the certificate that doesn't say Email, and put a check in the box that says 'Use this certificate as default' (if this is your personal computer).
Problem 8: Receive ' MUCreateDir(Anthill_BuildBranch-API-Cannae-20050228Apisrcmasqutilmasqutil.c:10427 Tue Apr 19 21:59:46 2005):2696:32-> 22'
Solution 8-1: Try the same Solution as Problem #5 above
Solution 8-2: Read the Tech notes on IBM
Solution 8-3: Read Microsoft Support information
Solution 8-4: If you are using Vista and the errors happened after macrovision, this is the fix.
Logon as an administrator (i.e. using your SA account) instead of right clicking and choosing 'run as'(do not choose).
Open PureEdge to make sure it is running fine(if macrovision hasn't been installed already).
Install macrovision if not yet installed.
If you are unsure it has been installed, go ahead and run it and it will ask you to modify, repair, or uninstall. Uninstall it and reboot, then you can install it again.
Open PureEdge to see if it has the errors.
Go into Regedit follow this path;
HKCUsoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersAppData
Before you install macrovision AppData key is:
C:Users**USER.NAME**AppDataRoaming
After you install it, nothing will be in its place so you can copy the above key from another key ONLY to roaming.
After, open PureEdge and and check to see if the errors were fixed.
Solution 8-5: Uninstall ApproveIt 5.8.2, 5.9, or 6.1, restart computer, Install ApproveIt 5.7.3. Follow instructions below.
PLEASE NOTE: ApproveIt 6.1 & 6.5 are the only versions that will work with Lotus Forms.
Problem 9: Pure Edge bar stalls half way across the screen when attempting to load a form
Solution 9-1: Reinstall the DoD certificates & ApproveIt try to access your form again.
Solution 9-2: Create a new profile and install Lotus Forms and ApproveIt from this new profile.
Problem 10: 'Unable to complete the signature; the private key cannot be found or is inaccessible on the system. Make sure you are using a good signing key or the right smart card.'
Solution 10: Look at ApproveIt Problem 4 above.
Problem 11: Receive 'Internal function call failed. at IFSObject_RegisterClass(Anthill_Build/Branch-API-Cannae-20050228ApisrcifxIFSObject.c:1997 Tue Mar 15 12:04:02 2005):2788'
Solution 11-1: Uninstall ApproveIt 5.8.2, 5.9, or 6.1, restart computer, Install ApproveIt 5.7.3. Follow instructions below.
Solution 11-2: You can also try items listed at #9 above or #5 in the LOTUS section
Problem 12: If you receive an ePersona message, or 'Add digital ID' with the choice of, I want to sign this document using?
Solution 12: Visit the Notes page to find out how to correct this.
Problem 13:Unable to print forms from Pure Edge Viewer in Vista & Windows 7 64 bit systems with HP printers. (Receive an error similar to: Viewer : Printer Driver's EndPage() Failed at PRINT ERROR(.srcFormViewerPrintEngineCPrintEngine.cpp:1960 Fri Jan 29 15:27:50 2010):2780:8) )
Solution 13-1: Download a program like DoPDF, print your form to the DoPDF 'printer,' then print the PDF to your printer
Solution 13-2: Open Pure Edge, Select Preferences, Printing options, Uncheck 'Print each page as a separate print job'
Solution 13-3: Print your form to the Microsoft XPS Document Writer 'printer,' then print the XPS to your printer
Problem 14: Receive error message: 'Unable to initialize the API at C:Progra~1PureEdgeVIEWER1.5API65'
Solution 14:Follow guidance to uninstall Pure Edge here.
VISTA UAC (USER ACCESS CONTROL)
Problem 1: If you do not like it, read below on how to turn it off.
Solution 1-1: Visit How-To-Geek for easy screen shot views (I prefer this method)
Solution 1-2: Video on Chris.Pirillo.com
Solution 1-3: User Access Control message. Here is a registry hack to turn User Access Control off (right click, save target as on DisableUACforAdmin.reg), then double click it. You will not have to enter the registry with this small .reg file as it will automatically change the location in the registry for those of you who are uncomfortable working in the registry. I use this registry hack on my Windows Vista computers and do not get the annoying message saying that I'm not safe. If you feel you should have it after turning it off, here is another .reg file to re-enable the UAC (right click, save target as on Re-EnableUACforAdmin..), then double click it.
OTHER MISC ERROR MESSAGES
Problem 1: The system could not log you on. 'The requested key container does not exist on the smart card.'
Solution 1-1:Have someone else log onto the same computer, double click ActivClient, Click on Tools, Advanced, Forget State for all cards. This 'other' person does NOT have to be an administrator.
Solution 1-2: Visit Google Groups for another possible solution
Problem 2: Unable to install the DoD Certificates, or you keep getting 'Unable to sign using a certificate; there are no valid signing certificates available on the system.'
Solution 2-1: Download the InstallRoot file to your computer, then Right click it and select Run as an Administrator
Solution 2-2: Create a second profile and install DoD Certificates from the new profile.
Problem 3: 'The signature could not be created because the private key of the certificate could not be accessed'
Solution 3: Look at ApproveIt #18 above
Problem 4: 'The specified CSP doesn't contain any unexpired digital signature certificates matching your certificate filter (see Advanced Preferences).'
Solution 4-1: Restart Computer after installing Approve It (multiple restarts might be required).
Solution 4-2: For Pure Edge: Open Preferences, Advanced (tab), clear all contents out of the Digital Certificate Identity Filter box, Path to Netscape profile, and uncheck the Check CRL distribution points box.
Solution 4-2a: For Lotus Forms Viewer: Click File, Preference, Advanced Settings, clear all contents out of the Digital Certificate Identity Filter box, and uncheck Check CRL distribution Points.
Solution 4-2b: Replace se_cryptoapi.ifx follow instructions below (or this PDF).
Here's How: Make sure you are using Lotus Forms 3.5.1.123
1. Navigate to: C:Program FilesIBMLotus FormsViewer3.5API76System
Army Cac Card Reader Certificates
2. Rename se_cryptoapi.ifx to se_cryptoapi.ifxORIGINAL
3. Move this file out of the directory by cutting it, then pasting somewhere (like your desktop)
4. Copy and paste this new se_cryptoapi.ifx to: C:Program FilesIBMLotus FormsViewer3.5API76System
5. Start the viewer and retest the digital signature.
Solution 4-3: Uninstall ApproveIt 5.8.2, 5.9, or 6.1, restart computer, Install ApproveIt 5.7.3. Follow instructions below.PLEASE NOTE: ApproveIt 6.1 & 6.5 are the only versions that will work with Lotus Forms.
Solution 4-4: Follow the instructions located on slide 14 of this guide to clear old Certificates out of the browser.
Solution 4-5: Create a new profile on your computer and install ApproveIt from the new profile.Make sure you uninstall it first from your current profile, restart computer before reinstalling.
Problem 5: Receive a 'MASQFORM.exe' error when using PureEdge
Solution 5: Copy and paste libeay32.dll from C:Program FilesApproveIt to the following folders:
C:Program FilesPureEdgeViewer6.5extensions and to:
C:Program FilesPureEdgeViewer6.5API65System PDF with full instructions
Problem 6: Receive 'Unable to install Microsoft visual C++ 2005 Redistributable Package. Contact your IT support' error when installing ActivClient 6.1
Solution 6-1: Re-Extract the files and run again
Solution 6-2: You may have to re-download, then re-extract that file
Solution 6-3: Create a new profile on your computer and install ActivClient from the new profile.
Problem 7: Receive the following error 'An installation support file could not be installed. The system cannot find the file specified.' when trying to install ApproveIt with Pure Edge Viewer.
Solution 7: After performing the uninstall / reinstall steps and you still get the error message. Try the following:
Go to Start, Run (Start Search) and enter 'regedit' and delete the following key.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall
{E00000650-0650-0650-0650-000000000650}
This will remove the entry for the 6.5 Viewer in the Add/Remove programs list.
Following this, they should run the installer with Administrative privileges.
Problem 8: Receive the following error 'Please enter the master password for the ActivIdentity ActivClient 0.' when using Firefox.
Solution 8-1: This is Firefox's 'secret code' forEntering your CAC [6-8 digit] PIN
Solution 8-2: You are getting this error because you are trying to use Firefox and your CAC.
You have 2 options, first is to switch over to Internet Explorer for any websites you need to use your CAC. Second option is to visit the Firefox support page and attempt to get your Firefox working using the instructions.
NOTE: Firefox will only work with ActivClient (or OpenSC) installed. Therefore if you are using the Windows 7 or 8 / 8.1 built in Smart Card utility, it won't work.
Problem 9: Certificate box comes up empty when trying to access a webpage.
Solution 9:Latest DoD Certificates are needed, instructions are here
Problem 10: Receive error message: 'Local policy does not allow you to log on interactively.'
Solution 10:Latest DoD Certificates are needed, instructions are here
Problem 11: Government owned Vista computer will not read CAC after computer is locked.
Information: Sometimes when a user locks their Vista computer, they are unable to unlock it because their CAC will not read. The research points toward buffer overflow errors and memory write errors due to registry key permissions. Two workarounds have been found:
Solution 11-1: Disable Windows Aero theme, instructions can be read on HowToGeek or LanceLHoff
Solution 11-2: Unplug and re-plug in the CAC reader or keyboard w/CAC reader (this is the equivalent of rebooting the reader, but only works for external CAC readers)
Problem 12: Problem accessing some CAC enabled websites
Solution 12: Run this .bat file to clear out old certificates from your computer. If your computer blocks the download, please download this file and remove the .txt from the end of the file name.
CURRENT PROBLEMS WITH NO KNOWN RESOLUTION
Please continue to check back later to see if a Solution has been found
If you've found a Solution for this, please contact me
NONE right now
Question 1: How can I set up my personal Windows computer to be able to login with my CAC (like my government computer)?
Answer 1-1: You can try this program if you are using Windows 7 or 8. (I personally have not tried it). Please let me know how it works for you. I only have 1 CAC, and need to access multiple computers at the same time. So, I can't afford to tie it up on one computer.
Notes from a person who tried the idea above: 'The solution listed above worked great. Just remember after restart when you set it up, the first password you put in is the User Account Password, then when clicking finish to test, I had to select the second certificate on the popup. All went well!
Answer 1-2:From what I've been able to figure out over the years, you will need a Domain Controller running smart card authentication. This way you can put the correct settings in your user accounts that will tell your computer through Group Policy that it has to use a CAC to be able to logon to it.
More information: Unless your computer is joined to the domain from which the card is used on, you can't use the card for logon. Smart card logon to a Windows system requires Kerberos authentication and in a work group environment you don't have or use Kerberos. Your computer would have to be connected to the DoD domain for the initial logon at which time the logon credentials are cached. You would then be able to logon without a connection to the DoD network. Your home computer is not joined to one of the DoD domains, so you'll never be able to use your CAC for login.
My personal thoughts: It is not worth the money to have to set up your own domain controller server at your house for one computer to be able to logon to a personal laptop with a CAC. I would not want that either because I only have 1 CAC, and I am using 2 computers at a time almost all of the time. So, one is using my CAC (my work computer) and the other is a normal logon and password.
Question 2: Can I set up my personal Mac computer to be able to login with my CAC?
Answer 2-1: Follow this guidance in this PDF
Answer 2-2: Follow these instructions from Thursby (I have NOT tested this).
Question 3: Are Individual Ready Reserve (IRR) Soldiers eligible for a Common Access Card (CAC)?
Answer 3: IRR Soldiers are issued the Armed Forces of the United States Geneva Conventions Identification Card (Reserve) (Green). If on active duty orders for 31 days or longer the IRR Soldier can receive a CAC.
Members being released from active duty with a Military Service Obligation (MSO) are part of the IRR and will be issued the green Reserve ID cards.
Question 4: Are retirees and family members eligible for a Common Access Card (CAC)?
Information: The CIO/G6 recognized the need to provide stronger authentication for retirees and had a working pilot program to provide Smart Cards with DoD PKI certificates to Army retirees and family members. The cards were used as an alternative to username password login to Army websites. The pilot was limited to 2,500 users and evaluated user experience and the overall acceptance of using the card as a replacement for username / password login. Other alternatives such as One Time Passwords were also being considered. Sites such as MyPay will be allowed to continue to use username and password until a stronger authentication solution is fielded.
UPDATE: This Pilot program ended on 1 October 2012
Answer 4: Not at this time. Retirees will continue to receive the traditional Retired (blue) or Reserve Retired (red) cards. Family members will continue to be issued the tan or red cards.
Question 5: My PBUSE worked the other day, now it does not work anymore.
Information: Changes were made to the PBUSE Enterprise configuration to increase SSL encryption security, per DoD requirements. These changes are needed to support the System Accreditation.
Answer 5: Users accessing PBUSE using a Tier I built system are not impacted. For users using a non-issued PBUSE work station configuration, you must change the web browser settings in order to access PBUSE. Click on this link to read the instructions on how to change your computer's Security Settings. These actually mirror the same settings shown at the AKO Solutions page #4
Question 6: I am retired and do not have a CAC anymore. How do I access my military records, since iPerms is 100% CAC authentication?
Answer 6-1:Your records are archived; therefore, veterans and authorized family members must request a copy of their records by submitting a prepared Standard Form 180 to the appropriate address listed on the back of the form or by going to the following website to submit the request electronically:
http://www.archives.gov/veterans/evetrecs/
NOTE: If you do not consider yourself 'computer-savvy,' or want to discuss this with someone at the facility, the number to call is 1-866-272-6272.
.
Answer 8:Emails & Files- Follow along with this guide explaining how to complete this process. You will need to logon to the server with your current CAC (this authenticates you as you).
Question 9: Prompted repeatedly for your CAC PIN when using Windows 7 (and 8) built in Smart Card utility accessing CAC enabled websites.
Background: The way Windows 7 (and 8) accesses your CAC It doesn’t cache your CAC PIN on your computer
Solution 9-1 Windows 7: Install ActivClient (this program will cache your PIN for 15 minutes).
.
Solution 9-1a Windows 8: Install Coolkey or purchase CSSi (these programs will cache your PIN)
Question 10: My email address is incorrect on my CAC, How can I fix it?
Answer 10:Follow guidance here
THE WORD SIGN IS GRAY
The ideas on this website are from my personal experience. I have been told by Army Publishing Directorate (APD) to send users to their help desk so they become aware of the problems with this program. 703-692-1306 / DSN: 312-222-1306, Webform, or usarmy.pentagon.hqda-apd.mbx.fcmp@mail.mil
If you are having problems accessing the CHESS website, contact theCHESS help desk at: peoeis.pdchess.helpdesk@us.army.mil or 888-232-4405 / 703-806-1019 / DSN: 312-656-1019 (Monday - Friday 0800-1700 EST).
NOTE: Remember, for the ideas below... try the first Solution, if it doesn't work, try the next one, and so on. It is not a follow 1-1 through 1-7, then try it. If solution 1-1 through 1-7 don't work, try 1-8
Problem 1: Unable to sign forms because the Sign box stays gray (even after downloading the latest DoD Certificates following the instructions on the DoD Certs page).
Solution 1-1: Verify that you do have ActivClient with update (or Windows 7 / 8 built in Smart Card utility) & eSign / ApproveIt installed AND the computer has been restarted.
Solution 1-2: Verify that you installed eSign / ApproveIt AFTER Lotus Forms or PureEdge, if not, uninstall eSign / ApproveIt, restart computer, install again, then restart one more time. This means IF you update Lotus Forms after eSign is installed, you'll need to uninstall eSign, restart computer, then install eSign again.
Solution 1-3: Try signing this sample form. If you can, your software is installed correctly. This is common when using MyForms and the form was routed to you as a copy instead of as an original. When this happens, you cannot sign the form. You HAVE to have the form routed to you as an original, if not, you will be unable to sign it. You can verify if this is the problem by clicking on this sample form and attempt to sign any one of the three possible places at the bottom of the form. If your digital signature works there, you know your software install is correct.
Solution 1-4: If you have recently updated to Lotus Forms, please look above at the Lotus Forms section
Solution 1-5: The DA 4651 [is one form] that IF signed out of order, will make the word Sign gray for all signatures above the one already signed.
Solution 1-6: Follow these instructions provided by the US Army Publishing Directorate
Solution 1-7:Go to Start->Run->type in Regedit (Anytime you make changes to the Registry it is a highly recommended you back it up first)
Navigate to:
'HKEY_CURRENT_USERSoftwareSilanisApproveItSigningRealTime'
- Expand / open 'RealTime' you will see (or should see) several entriesfor signing devices, you will need to select/highlight each entry,then in the window pane on the right, double click to open the entry 'EnableDevice'
- When this opens, you will need to change the Value to 0
- Change the Value to 0 for all the entries excluding 'NameFilters,' which is not a device descriptor