X
點擊此處開啟此網站的行動版。

技術支援討論區

I cannot access US Gov't Sites from home using my CAC; certs not seen by Firefox.

已張貼

I cannot access US Gov't Sites from home using my CAC. With internet explorer, I am able to access US Gov't sites on mail.mil and us.af.mil. I have made my CAC certs available to windows and even tried to export/import from IE to FF, but that does not work. In FF, there certificates dialogue box shows no personal certificates.

I recently switched to FF on both my home and US Gov't machines and at work I can access the gov't site without a problem, but I am on the .mil network there, so it's not a good comparison.

I am using Windows 7 Pro w/ symantec endpoint protection and ZoneAlarm Firewall on an older Dell 64b machine. I use ActiveClient SmartCard manager, and until now, I've not had a problem in years getting to CAC-enabled gov't websites.

Thanks

I cannot access US Gov't Sites from home using my CAC. With internet explorer, I am able to access US Gov't sites on mail.mil and us.af.mil. I have made my CAC certs available to windows and even tried to export/import from IE to FF, but that does not work. In FF, there certificates dialogue box shows no personal certificates. I recently switched to FF on both my home and US Gov't machines and at work I can access the gov't site without a problem, but I am on the .mil network there, so it's not a good comparison. I am using Windows 7 Pro w/ symantec endpoint protection and ZoneAlarm Firewall on an older Dell 64b machine. I use ActiveClient SmartCard manager, and until now, I've not had a problem in years getting to CAC-enabled gov't websites. Thanks

額外的系統細節

已安裝的外掛程式

Mate translate, FoxClocks, and Enhancer for YouTube

應用程式

  • User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0

更多資訊

FredMcD
  • Top 10 Contributor
4230 個解決方法 59027 個答案
What is the exact error messages? There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connection certificates and send their own. https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message https://support.mozilla.org/en-US/kb/connection-untrusted-error-message [https://support.mozilla.org/en-US/kb/websites-dont-load-troubleshoot-and-fix-errors?redirectlocale=en-US&redirectslug=Error+loading+web+sites Websites don't load - troubleshoot and fix error messages] http://kb.mozillazine.org/Error_loading_websites
cor-el
  • Top 10 Contributor
  • Moderator
17424 個解決方法 157445 個答案

Do you have the DoD certificates installed?

Do you have the DoD certificates installed? *https://iase.disa.mil/pki-pke/getting_started/Pages/windows.aspx

提出問題者

FredMcD said

What is the exact error messages?

Thank you for your quick reply and I am sorry i did not answer sooner. I was following your leads as time allowed to try and solve the problem. The msg I get is:

"This application requires a valid client EMAIL certificate. Please check your client certificate settings and try again."

Basically, I have downloaded and installed InstallRoot 5.2 to my win10, 64b machine and all certs are properly installed as far as I can tell. i have also installed activclient 6.2 and made all certs available to windows. Lastly, I manually imported into Firefox the 6 DoD certs, "...Mozilla Rootx.p7b" that are used on my work machine.

The bottom line is that using IE 11, I can access all publicly available (i.e., not .mil restricted) U.S. Gov't websites, including the new cloud-based mail server, the timekeeping app, and the defense travel system. I cannot get to anything that requires a CAC using Firefox.

And this may be important. I have tracking protection turned on always, and I did have Accept Third Party Cookies only from Visited. That last was causing some issues, so I had to turn that back to Always.

And this may also matter. In IE, I can unblock pop-ups for whole domains, e.g., *.af.mil. FF will not let me do that (at least I can't figure out how) because it wants 'exact' URLs. This is a very real problem because I start with portal websites and enter the domain links from there, as in the pay website.

And finally, on a similar, but possibly not related note, FF was blocking some government sites and other non-dangerous until I turned off the Deceptive Content ... checks. Now I have that all turned off and I haven't anymore issues with any links.

Again, thank you for your reply. Please don't be put off by my delay in response, I'm working this issue as I can. Your info was helpful and I will be grateful for any other ideas. I do NOT want to install Chrome on any machine of mine, but I may have no choice since IE is becoming a problem for some gov't links.

Cheers, SangerM


.edit: fixed post as it was as a quote and horizontal scrolling due to spaces before each sentence.

''FredMcD [[#answer-1155012|said]]'' <blockquote> What is the exact error messages?</blockquote> Thank you for your quick reply and I am sorry i did not answer sooner. I was following your leads as time allowed to try and solve the problem. The msg I get is: "This application requires a valid client EMAIL certificate. Please check your client certificate settings and try again." Basically, I have downloaded and installed InstallRoot 5.2 to my win10, 64b machine and all certs are properly installed as far as I can tell. i have also installed activclient 6.2 and made all certs available to windows. Lastly, I manually imported into Firefox the 6 DoD certs, "...Mozilla Rootx.p7b" that are used on my work machine. The bottom line is that using IE 11, I can access all publicly available (i.e., not .mil restricted) U.S. Gov't websites, including the new cloud-based mail server, the timekeeping app, and the defense travel system. I cannot get to anything that requires a CAC using Firefox. And this may be important. I have tracking protection turned on always, and I did have Accept Third Party Cookies only from Visited. That last was causing some issues, so I had to turn that back to Always. And this may also matter. In IE, I can unblock pop-ups for whole domains, e.g., *.af.mil. FF will not let me do that (at least I can't figure out how) because it wants 'exact' URLs. This is a very real problem because I start with portal websites and enter the domain links from there, as in the pay website. And finally, on a similar, but possibly not related note, FF was blocking some government sites and other non-dangerous until I turned off the Deceptive Content ... checks. Now I have that all turned off and I haven't anymore issues with any links. Again, thank you for your reply. Please don't be put off by my delay in response, I'm working this issue as I can. Your info was helpful and I will be grateful for any other ideas. I do NOT want to install Chrome on any machine of mine, but I may have no choice since IE is becoming a problem for some gov't links. Cheers, SangerM .edit: fixed post as it was as a quote and horizontal scrolling due to spaces before each sentence.

由 James 於 修改

提出問題者

cor-el said

Do you have the DoD certificates installed?

Cor-el, I posted a long answer to a prior answer, but I wanted to say thank you anyway directly. Your msg was a starting point for what I've been trying the past week. As described in my follow-up, I did what I could with certs, etc. But no joy.

Any further ideas will be appreciated.

Thank you again, SangerM

''cor-el [[#answer-1155015|said]]'' <blockquote> Do you have the DoD certificates installed? *https://iase.disa.mil/pki-pke/getting_started/Pages/windows.aspx </blockquote> Cor-el, I posted a long answer to a prior answer, but I wanted to say thank you anyway directly. Your msg was a starting point for what I've been trying the past week. As described in my follow-up, I did what I could with certs, etc. But no joy. Any further ideas will be appreciated. Thank you again, SangerM
jscher2000
  • Top 10 Contributor
8642 個解決方法 70715 個答案

If your Firefox at work was configured by the IT department, possibly they made a settings change which affects whether Firefox uses only its own certificate store or uses the Windows certificate store. This sometimes is a shortcut to importing certificates, but I don't know whether it would make a difference in this case. If you want to try it:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(2) In the search box above the list, type or paste enterp and pause while the list is filtered

(3) Double-click the security.enterprise_roots.enabled preference to switch the value from false to true

If your Firefox at work was configured by the IT department, possibly they made a settings change which affects whether Firefox uses only its own certificate store or uses the Windows certificate store. This sometimes is a shortcut to importing certificates, but I don't know whether it would make a difference in this case. If you want to try it: (1) In a new tab, type or paste '''about:config''' in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk. (2) In the search box above the list, type or paste '''enterp''' and pause while the list is filtered (3) Double-click the '''security.enterprise_roots.enabled''' preference to switch the value from false to true
cor-el
  • Top 10 Contributor
  • Moderator
17424 個解決方法 157445 個答案

If you create an exception for af.mil (https://af.mil) then this should include all sub domains, so you need to omit the '*' wildcard character in Firefox.

If you create an exception for <b>af.mil</b> (https://af.mil) then this should include all sub domains, so you need to omit the '*' wildcard character in Firefox.

提出問題者

cor-el said

If you create an exception for af.mil (https://af.mil) then this should include all sub domains, so you need to omit the '*' wildcard character in Firefox.

Thank you! I should have guessed as much... Too much time doing things one way. I appreciate that.

''cor-el [[#answer-1157598|said]]'' <blockquote> If you create an exception for <b>af.mil</b> (https://af.mil) then this should include all sub domains, so you need to omit the '*' wildcard character in Firefox. </blockquote> Thank you! I should have guessed as much... Too much time doing things one way. I appreciate that.

提出問題者

jscher2000 said

If your Firefox at work was configured by the IT department, possibly they made a settings change which affects whether Firefox uses only its own certificate store or uses the Windows certificate store. This sometimes is a shortcut to importing certificates, but I don't know whether it would make a difference in this case. If you want to try it: (1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk. (2) In the search box above the list, type or paste enterp and pause while the list is filtered (3) Double-click the security.enterprise_roots.enabled preference to switch the value from false to true

-- I tried that and saw no difference. Interestingly, I get different error msgs from different US gov't sites. One msg for several sites says, "Secure Connection Failed", a different site (for webmail) reports, "Your connection is not secure." I tried making an exception for the sites using the advanced option, but still no joy. (also, the problem is the same on both my Win10Pro 64b machine and my older Win7Pro 64b machine).

-- Also, When I check the certificates stores, it shows no certs under "Your Certificates", but it shows four different certs for me under "People."

-- Anyway, this has moved into the too hard, not worth pursuing anymore column for me. IE still works well enough w/ most gov't sites, and although FF is faster, cleaner, and a lot more user-friendly (so far), I should not be having to work this hard to do something I've been doing with relative ease for the past 10 years at least.

-- Thanks all for the help and suggestions, but I just don't have time to be a software beta tester anymore. Sorry.

Regards, SangerM.

''jscher2000 [[#answer-1157388|said]]'' <blockquote> If your Firefox at work was configured by the IT department, possibly they made a settings change which affects whether Firefox uses only its own certificate store or uses the Windows certificate store. This sometimes is a shortcut to importing certificates, but I don't know whether it would make a difference in this case. If you want to try it: (1) In a new tab, type or paste '''about:config''' in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk. (2) In the search box above the list, type or paste '''enterp''' and pause while the list is filtered (3) Double-click the '''security.enterprise_roots.enabled''' preference to switch the value from false to true </blockquote> -- I tried that and saw no difference. Interestingly, I get different error msgs from different US gov't sites. One msg for several sites says, "Secure Connection Failed", a different site (for webmail) reports, "Your connection is not secure." I tried making an exception for the sites using the advanced option, but still no joy. (also, the problem is the same on both my Win10Pro 64b machine and my older Win7Pro 64b machine). -- Also, When I check the certificates stores, it shows no certs under "Your Certificates", but it shows four different certs for me under "People." -- Anyway, this has moved into the too hard, not worth pursuing anymore column for me. IE still works well enough w/ most gov't sites, and although FF is faster, cleaner, and a lot more user-friendly (so far), I should not be having to work this hard to do something I've been doing with relative ease for the past 10 years at least. -- Thanks all for the help and suggestions, but I just don't have time to be a software beta tester anymore. Sorry. Regards, SangerM.
cor-el
  • Top 10 Contributor
  • Moderator
17424 個解決方法 157445 個答案

The DoD certificates would appear under Authorities. Is the CAC reader recognized and enabled (logged on) if you check this in the security device manager?

  • Options/Preferences -> Privacy & Security
    Certificates: Security Devices
The DoD certificates would appear under Authorities. Is the CAC reader recognized and enabled (logged on) if you check this in the security device manager? *Options/Preferences -> Privacy & Security<br>Certificates: Security Devices
jscher2000
  • Top 10 Contributor
8642 個解決方法 70715 個答案

If you decide to try again, compare your settings in the Certificate Manager on the work machine to see whether that provides any insights.

If you decide to try again, compare your settings in the Certificate Manager on the work machine to see whether that provides any insights.