YOU MAY BE ABLE TO USE YOUR CAC WITH WINDOWS 7 (or 8) WITHOUT INSTALLING ACTIVCLIENT
|
||||||||||
|
I have had no problems using the Gemalto TOP DL GX4 144 & Oberthur ID One 128 v5.5 Dual CACs on Windows 7 Professional & Ultimate (64bit editions) without ActivClient. Windows 7 Home Premium (64bit) version would not read the Oberthur ID One 128 v5.5 Dual CAC until I installed ActivClient 6.2.0.50 with update. See below that you'll need the newer style card (the one on the right) with the wavy words AND it has to be a Gemalto TOP DL GX4 144 or an Oberthur ID One 128 v5.5 Dual CAC (see images of sample CACs)
(The following information was received originally from the Air Force) Revisions have been made by Michael Danberry Download / Save this page as a PDF Information :Microsoft Windows 7 (& 8) include a native capability to read and use the newest CAC-based PKI certificates without installing middleware such as ActivClient. If you have a fully Personal Identity Verification (PIV) II-compliant CAC, you may be able to use your CAC on Windows 7 (& 8), without having to install ActivClient. The following instructions will help you configure Windows 7 (& 8) to use a CAC without ActivClient. These instructions are not applicable if you already have ActivClient installed. If you want to try this process, you will need to uninstall ActivClient, restart your computer, then follow these instructions below:NOTE: If you are a Firefox user, you will have to use Internet Explorer or install a program like ActivClient or OpenSC to be able to access CAC enabled websites, since Firefox needs certain .dll files registered that are found in both ActivClient & OpenSC. So far, I have not found anyone that OpenSC works for on a Windows computer. So, if you figured it out, please let me know. Instructions :NOTE: These instructions are provided as general guidance for home use only. If these instructions do not work on your system, visit the ActivClient page for Army users, or the following link for other military branches to find links to obtain a copy of ActivClient. Windows 7 (& 8) requires ActivClient version 6.2. If you have the Oberthur ID One 128 v5.5 Dual CAC, you'll also need to update ActivClient 6.2 (unless you are using Windows 7 Professional or Ultimate). 1. Verify that you have a fully PIV-II-compliant CAC. To determine if your card is compliant, check the card type printed on the back of your CAC (see examples above). If it shows "Gemalto TOP DL GX4 144" or "Oberthur ID One 128 v5.5 Dual" then the CAC is fully PIV-compliant. If the CAC is "Gemalto GCX4 72K DI" or "Oberthur ID One V5.2 Dual" there is a POSSIBILITY that it is PIV-II-compliant depending on when and where your CAC was issued. All I can recommend is try it and see what happens. All other card types are not PIV-II-compliant and cannot be used with Windows 7 without ActivClient. To definitively determine if your CAC is PIV-II-compliant, use the following directions ( remember, these directions assume you do NOT have ActivClient installed on your computer).NOTE: "Some" versions of Windows 7 (& 8) do not "cooperate" with the Oberthur ID One 128 v5.5 Dual CAC. The only fix I've found for this is to install ActivClient 6.2, then update it. NOTE: If you are using an SCR-331 CAC reader, please update your firmware before proceeding. FIRMWARE UPDATE
for
The firmware update "should" fix the following problems: A. Card reader is not recognized B. Shows up as "STCII Smart Card Reader" C. Shows up as "USB Smart Card Reader" (however, this is not always a problem) D. Does not read your new "Gemalto TOP DL GX4 144" or "Oberthur ID One 128 v5.5 Dual" CAC. E. Using your CAC with Windows 7 (& 8) without ActivClient
Installation Instructions
a. Install a CAC reader on your Windows 7 (& 8) computer. Verify the card reader is properly installed by checking that a reader is listed in the Device Manager under "Smart card readers". The Device Manager can be accessed by opening the Start menu, right-clicking Computer {which may be listed as a computer name}, and selecting: Properties, then Device Manager
Insert your CAC into the reader. Verify the card reader is successfully recognizing the CAC by checking that an "Identity Device" is listed in the Device Manager under "Smart cards" as shown below. If it is, your CAC may be PIV-II compliant.
If your CAC is not PIV-II-compliant, the smart card may or may not show up under "Other devices" as shown below:
b. Open Internet Explorer (IE). If you think your CAC is PIV-II compliant, go into IE, select Tools, Internet Options, Content (tab), Certificates (button). The Personal Tab should open by default. If your CAC is PIV-II-compliant, you should see 3 certificates issued to you by DoD as shown below: (Unless you had ActivClient already installed recently, they will show up as well)
Two of these certificates (the ones that have "EMAIL" in the "Issued By" field) are your standard DoD E-mail Signature and Encryption certificates. The third certificate is your PIV Identity certificate. This PIV Identity certificate is a different certificate than the DoD Identity certificate you normally see when using ActivClient. This should not impact your use on your personal computer. If your CAC is not PIV-II-compliant, no certificates will be listed in the Personal Tab. You will have to install the ActivClient 6.2 to use your CAC with Windows 7 (& 8).
2. Install the latest DoD Certificates 3. Add Outlook Web Access / Apps (OWA) address to your Trusted Sites (if you plan on using OWA). The OWA website must be listed as a trusted site in IE 9 (if you have a 64 bit version of Windows). It is also required for both 32 and 64 bit computers once IE 9 is installed. Without adding it, you will not be able to sign or encrypt / decrypt your email. Open IE 9 select Tools, Internet Options, Security. Select the Trusted Sites zone (green checkmark), then click on the Sites (button). Type the address for your OWA website [Examples can be found on the OWA page] in the box labeled "Add this website to the zone" and click Add. The site will be added to the list. Click Close and OK to exit the Internet Options window. 4. Access web sites and authenticate with your CAC certificates in IE. You will be prompted to select a certificate and enter your Personal Identification Number (PIN) as shown in the screenshots below. IMPORTANT: If you are accessing a web site that is linking back to your network account such as SharePoint or Outlook Web Access / Apps (OWA), you will need to select your E-mail certificate (the one that has "EMAIL" in the Issued By field) in order to authenticate. The PIV Identity certificate (the one that does NOT have "EMAIL" in the "Issued By" field) will not work with your Active Directory account. Your PIV Identity certificate can always be used to client authenticate to web sites that are not linking back to your network account. Those accessing Army Knowledge Online (AKO) will continue to use the non-Email certificate. Sites like the Air Force Portal and Navy Knowledge Online (NKO) usually use the Email certificate.
5. If you are having issues accessing a web site with your CAC, try the following guidance, then if still unsuccessful, visit the ActivClient page for Army users, or the following link for all other military branches to find links to obtain a copy of ActivClient to install on your computer. Once it awhile, you may need to do this: Open IE, select Tools, Internet Options, Content (tab), Certificates (button). The Personal Tab should open by default. For each of your certificates in the Personal tab, highlight the certificate and click the Advanced (button). From within the Advanced Options window select the checkbox for Client Authentication then click OK. (Remember, these settings are normally NOT required, but it has helped others).
To change your current CAC PIN [without ActivClient], you'll need to know your current PIN and then follow these steps: Information found at: http://www.microsoft.com/resources/sharedsource/troubleshoot.mspx
1. Insert your CAC in the CAC reader 2. Press <Ctrl> <Alt> <Delete> 3. Select Change password 4. Select Other Credentials 5. Select Smart Card 6. Enter your current PIN, then your new PIN twice |
||||||||||
If you have questions or suggestions for this site, contact Michael J. DanberryAre you interested in subscribing to the CACNews email list?
Last Update or Review: Sunday, 19 February 2012 16:50 hrs
The following domain
names all resolve to the same website: ChiefsCACSite.com,
CommonAccessCard.us, CommonAccessCard.info, ChiefGeek.us, MilitaryCAC.info,
MilitaryCAC.us, MilitaryCAC.org, MilitaryCAC.net, & MilitaryCAC.mobi
|
SCR-331
Reader
