Search MilitaryCAC:

Site Map

Please ShareThis website with your friends and colleagues

  MilitaryCAC.com logo

.com | .us | .ml  | .mobi | .net | .org

 

The Definitive Source for Everything CAC

Common Access Card help for your

Personal Computer

 Be notified of
page updates
it's private
powered by
ChangeDetection

 

Also available at:

https://MilitaryCAC.com

 

Make a Donation button image

 

 

PERSONAL IDENTITY VERIFICATION (PIV) ACTIVATION INFORMATION PAGE (including updating Email address on CAC)

 
Enterprise Webmail link:

https://web.mail.mil

    

Dual Persona users have to activate the PIV on each new CAC to be able access their Enterprise Email account(s).

 

Accessing web.mail.mil requires the steps below and an existing DoD Enterprise Email address

 

Windows Installation Steps

Step 1: Obtain a CAC Reader
Step 2: CAC Reader driver
Step 3: DoD Certificates
Step 4: ActivClient  (or Smart Card Manager)
Step 4a: Update ActivClient
Step 5: IE adjustments
Step 6: Select the PIV certificate when prompted

 

Example, you will select U.S. Government PIV, NOT the DOD EMAIL certificate
PIV image

Windows 10 users will see this
Windows 10 cert selection

Mac users needing to use their PIV certificate need to select one of the none Email certs and scroll down to verify NT Principal Name.  It will be your 10 digit DoD ID # followed immediately by 121004 for MIL, 121002 for CIV, 121005 for CTR, or 121001 for NAF.  If you don't see this option, select the other non email certificate.  If you don't see this option, then you may need to find a Windows computer and reactivate your PIV cert again.
NTPrincipalName


Mac Users - The ability to activate your PIV is not possible on the Mac OS.  You need to find a Windows 7 computer (maybe at your unit), or virtualize Windows and then follow the information on this page..

NOTE for Windows 10 users, I have been able to successfully activate PIVs using Windows 10, ActivID 7.1.0.153 with Internet Explorer running in 64 bit mode, and the latest 64 bit Java  Select:  Windows Offline (64-bit)

 

How to activate your PIV Certificate on your CAC on a Windows computer with ActivClient installed (preferably Windows 7 with ActivClient 6.2.0.119 (or higher)) or Windows 10 with ActivID 7.1.0.153

 

 

 

 

Question / Problem: How do I "add" a PIV certificate to my CAC, so, I can access my DoD Enterprise Email?  Technically, the PIV cert is already on your CAC but is hidden by default.  Since DMDC has classified you as a "Dual Persona" individual you need to "expose" it.  (Dual Persona is an Army Reserve [or Guard] Soldier who is [or has ever also been] a DoD civilian [or contractor] therefore authorized to carry two CACs at the same time).  We have heard of people who were previously a contractor [or civilian] in the past [even if you left the job] and are still classified as dual persona.  This may be a reason why you cannot access your webmail.  If you want to verify this first, call the Army Enterprise Service Desk (866-335-2769) and have them check your status in DEPO. 

.

Solution 1 (highest success rate) - Windows 7 computers with ActivClient 6.2.0.x & Java:  Read notes below FIRST, Go to:  https://www.dmdc.osd.mil/self_service or https://dmdc.osd.mil/self_service, then follow this guide:  https://www.dmdc.osd.mil/self_service/help/CAC_-_Activating_a_PIV_Authentication_Certificate.htm

Note: Some of the screens may look different, since DMDC has modified their webpage and not updated their guide.

NOTE2:  If you have problems while on the RAPIDS Self Service website, contact the DMDC help desk.

 

Some items NOT mentioned in the guide above: 

--You cannot use the same email address on both cards.  See error message.   Here's how to change your email address on your CAC.  This can also be used to add an email address to your CAC if you don't already have an email address on it.

--Your system needs to be all 32 bit or all 64 bit, which means:

 

 

64 bit Windows

.

NOTE: This process will NOT work with the built in Smart Card utility in Windows 10, 8.1, 8, or 7.  It requires ActivClient / ActivID on the computer

 

-Internet Explorer 11, Select Enable 64-bit processes for Enhanced Protected Mode* [in Internet Options, Advanced Tab] to run IE in 64 bit mode.  By default, IE 11 runs in 32 bit mode.  More information can be read here. 

 

-64 bit ActivClient 6.2.0.x with latest update (Windows 7 and below)

 

-64 bit ActivClient 7.0.2.x with latest update (Windows 8 and 8.1 users)

 

-64 bit ActivID 7.1.0.153 (Windows 10 users)

 

-64 bit Java installed, Select: Windows Offline (64-bit)

 .

NOTE:  If using Java 7 Update 71 (and below), you have to change a Java security setting, Go to Java (in Control Panel), Click Security (tab), move the arrow bar down to Medium.

 

NOTE2:  If you have a newer version of Java (above 7 Update 71) installed, you need to add 3 entries to:  Control Panel > Java > Security (tab) > Edit Site List:   https://pki.dmdc.osd.mil, https://www.dmdc.osd.mil, and https://idco.dmdc.osd.mil

 

64 bit Windows home computers have been successful using Waterfox to activate their PIV cert on a 64 bit Windows 7 computer.  Make sure you have Waterfox set up correctly to use your CAC first.  The items mentioned above about ActivClient and Java still must match your Windows Operating system (64 bit) to work.

 

32 bit Windows

 

NOTE: This process will NOT work with the built in Smart Card utility in Windows 10, 8.1, 8, or 7.  It requires ActivClient / ActivID on the computer

 

-32 bit ActivClient 6.2.0.x with latest update (Windows 7 and below)

 

-32 bit ActivClient 7.0.2.x with latest update (Windows 8 and 8.1)

 

-32 bit ActivID 7.1.0.153 (Windows 10 users)


-32 bit Internet Explorer (Start, All Programs, Internet Explorer) Windows 8, do NOT use the IE from the tiles menu

 

-32 bit Java installed

 

NOTE:  If using Java 7 Update 71 (and below), you have to change a Java security setting, Go to Java (in Control Panel), Click Security (tab), move the arrow bar down to Medium.

 

NOTE2:  If you have a newer version of Java (above 7 Update 71) installed, you need to add 3 entries to:  Java > Configure Java > Security (tab) > Edit Site List: https://pki.dmdc.osd.mil, https://www.dmdc.osd.mil, and https://idco.dmdc.osd.mil

 

32 bit Windows home computers have been successful using Firefox to activate their PIV cert on a 32 bit Windows 7 computer.  Make sure you have Firefox set up correctly to use your CAC first.  The items mentioned above about ActivClient and Java still must match your Windows Operating system (32 bit) to work. 

**32 bit Windows users can also use Google Chrome.

 

 

ActivClient 6.2.0.x users (Windows 7) Immediately after your PIV is activated, click Forget State for All Cards (twice), then Make Certificates available to Windows. 

Here's how: Double click ActivClient (icon down by your clock in the lower right corner of your computer screen), Click Tools, Advanced, Forget State for all cards (ActivClient 6.2.0.x) OR Reset Optimization Cache (ActivClient 7.0.x.x)

-Once you've done this, click on Make Certificates available to Windows (ActivClient 6.2.0.x) OR remove, then reinsert CAC (ActivClient 7.0.x.x), (ActivID 7.1.x.x), or (ActivClient 6.2.0.x).  You "should" see 4 certificates.  If not, repeat the Forget State for all cards again, and Make Certificates available to Windows again.

 

 

Non-Solution for Mac Users:  I have found no way for you to activate your PIV using a Mac.  The recommended method is to find a Windows 7, Vista, or XP computer and follow Solution 1 or 2 above.

 

 

Solution 2:  DMDCs Self Service website is working better now than it did originally for activating users PIV authentication certificate.  This affects every person who hold the dual persona role(s).  You can manually configure ActivClient to expose your PIV cert on your computer (Windows 7, Vista, or XP with ActivClient 6.2.0.x installed).  This will have to be done on every computer you need to access your mail.mil email on.  This solution negates the issue with DMDCs Self Service website to expose your certificate. 

 .

Here's how to expose your PIV cert via ActivClient using Windows 7

NOTE: If you use WAWF, DO NOT do this, you must activate your PIV above.

 -ActivClient 6.2.0.x users need to update to the latest version.  [You can ignore the need for restart here] 

-After you have installed the latest update, open ActivClient, Click Tools, Advanced, Configuration (requires elevated access on Government systems), scroll down [and click on] Smart Card, click line titled: Prefer GSC-IS over PIV EndPoint...  change the Yes to a No

-You will be prompted to restart the computer.  After the restart every time you go to https://web.mail.mil,  you'll have to select the certificate that says PIV, (NOT the Email certificate).  Government computer users will need to make sure they select the 10 digit certificate to login to the computer, and 16 digit to check your email.  If you select the 16 digit during login, you will get DoD visitor, or Credentials cannot be verified error message.

--ActivClient 7.0.2.x users need to update to the latest version, then modify the following registry key for this option:  HKEY_LOCAL_MACHINE \ SOFTWARE \ ActivIdentity \ ActivClient \ Card Discover \ CardEdge \ DefaultCardEdge =1

--ActivClient update version of 7.0.2.308 and above show your PIV automatically.

--Another person had to modify this registry key instead:  HKEY_LOCAL_MACHINE \ SOFTWARE \ ActivIdentity \ SecurityModuleMW \ DiscoveryProvider \ CardEdge \ PIVIgnoredExtensions \ Value 1 (Right click modify (change to 0 from 1))  See image

 

WAWF (Wide Area Work Flow) users:  When the Wide Area Workflow website updated and moved to CAC / certificate only logon, a Dual-Persona user who has the ActivClient setting changed will find out the WAWF website will not correctly read their DoD x.509 certificate and will therefore receive a 'No Certificates Found!' message.

If you are a Dual Persona and need to access both Enterprise Email and WAWF, you MUST undo the ActivClient setting (change back to YES) and activate your PIV certificate via the RAPIDS Self Service website.  After that, the WAWF website will correctly read your certificates and allow you to register your CAC.

 

 

 

Question:  What exactly is "Dual Persona?"

 

Answer:  The easiest way to explain is to give you an example:  an Army Reserve [or Guard] Soldier who is also a DoD civilian [or contractor] who is authorized [or required] to have / carry / use two separate CACs.  We have found people who were previously a contractor [or civilian] during the past three to five years [even if they left the job a year ago] are still classified as a Dual Persona in the eyes of DMDC and DISA.

 

Individuals that fall into this category HAVE to activate their PIV certificate to be able to access their email in the DoD Enterprise Email.  If you want to validate this prior to going through this process.  Call the Army Enterprise Service Desk-Worldwide at 866-335-2769 and select Enterprise Email.  Ask the agent to look in DEPO to verify if you are PIV AUTH.

 

 

 

NOTE:  Java 7 update 71 was the last version that had the ability to slide the Security bar to Medium.  This is needed for the DMDC Self Service (PIV activation) site to work, read more here.  You can update to the current version of Java once you activate your PIV cert.

 

Download Java 7 update 71 (64 bit) from MilitaryCAC or AKO

 

Download Java 7 update 71 (32 bit) from MilitaryCAC or AKO 

 

 If you have questions or suggestions for this site, contact Michael J. Danberry
Are you interested in subscribing to the CACNews email list?

Disclaimer

 

ACRONYM Reference Page

 

GoDaddy Site Certified seal

.

Last Update or Review:  Saturday, 18 February 2017 23:45 hrs

 

The following domain names all resolve to the same website:  ChiefsCACSite.com, CommonAccessCard.us, CommonAccessCard.info, & ChiefGeek.us