unlock

How To Set up Windows 7/8/10 For CAC use on Government Websites

hello everybody and welcome to how to

set up your computer for use with

government websites all of the following

steps are necessary for Windows 7 8 and

10 users now there are a few specific

variances between Windows 7 and Windows

10 that need to be addressed but we will

get to that later on in the video now if

you have already gone to military can

calm and follow some of the steps on

there I ask that you do every single

step in this video just as I do it

regardless if you have already done it

before there are certain steps that

everyone tends to skip while going

through this process and if you skip

through the video there's a good chance

that you may miss that step and you will

not be able to get your computer to work

now that being said we will be using

military cat comm as a guide there are

some windows 10 anniversary edition

specific settings that we need to

address later on the video but I ask

that you do not skip to those steps

because all of the things we will be

doing in the beginning of this video is

absolutely necessary for you to be able

to log on anyways now the first thing we

need to do is go to military CAC comm

now I would put a link in the

description below for a direct download

for the DoD certificates but as the

military updates their certificate

stores the link I would put in the

description would be invalid so would be

a very good idea every few months to go

to military CAC comm go to step 3

DoD certificates and then make sure you

have the newest version of install root

5.0 point 1 or whatever version number

it is at the time just a few months ago

it was 5.0 0.0 and every few months they

will release new certificates maybe a

few years we always want to make sure

you have the newest version installed

now what I need to download the newest

install root I always choose the DISA

link they are the ones that actually

distribute the new certificates so I

always choose that link so we're going

to do is we're just going to right click

DISA save target as and the download

should begin we're just going to go

ahead and save it to our desktop so it's

easy to get let's go ahead and download

that now once it's done downloading

we're going to go ahead and run the

program

once this screen pops up you're just

going to click Next

I'm going to click Next again next

you're basically going to click Next to

every

and then install now once we have

installed it we're going to get this pop

up to run install root go ahead and

minimize this if you get any of these

certificate pop-ups you're going to

click yes to all of them you can go

ahead and get rid of these instructions

as I'm going to show you how to use it

anyways and exit out of that if that

pops up now the only thing you want to

do in here is check the restart as

administrator so we're going to click

yes to that prompt click yes to this

prompt and now it has restarted as

administrator which we're going to click

yes to that certificate store we're

going to exit out of the Quick Start

Guide again and the only button in here

you need to click is the install

certificates button now you're going to

get a few pop-ups sometimes you will get

a few pop-ups that you'll just click he

okay - and then you will get this

certificate action summary this verifies

that add added 43 of 43 certificates you

can go ahead and just click OK to that

once that is completed you can go ahead

and close out of install root you're not

going to need any more you're going to

click yes to save and then you're done

with the easiest step now that that's

completed we're going to go back to

military cat comm this is the same page

that we were just on to download the DoD

root certificates you're going to go

down the page past where it shows you

exactly how to run the program and then

we're going to go down here to proceed

to step 4 install activex client we're

not going to do that right now what

we're going to do first is run the cross

certain removal tool we're going to go

ahead and go to the next page we're

going to choose the military CAC version

actually will choose the disavow so we

can do the same thing save target as

you're going to download it to your

desktop so it's easy to access I'm going

to go ahead and open the folder let me

go ahead and drag the screen back over

here now when you open the folder you're

going to have two files in here go ahead

and just highlight those because they're

in a compressed folder you're going to

drag these onto your desktop and you can

go ahead and close out of the zip file

now you're going to need to run the one

that actually says exe on it which is

this one the dot exe so you can double

click that

and you'll get this now all you have to

do is hit enter enter again and then it

will automatically close now

theoretically this should remove all of

the bad certificates from your computer

but we're going to double check just to

make sure now this is where things are

going to get a little bit different

depending on if you are on Windows 10 or

not we need to open up Internet Explorer

now on Windows 10 we automatically

always use edge so to open up Internet

Explorer you need to open up a web page

I need to go to the three dots on the

top right corner over here and then you

will see the option to open with

Internet explorer

now if you guys are on Windows 7 or

Windows 8 just go ahead and open up

Internet Explorer and we'll be good to

go you can go ahead and close out of

your edge browser now we're not going to

need that anymore and then you can go

ahead and do that now what I like to do

for Internet Explorer is I like to pin

it to my taskbar because we're going to

need it a lot here in the future and I

don't want you to waste a whole bunch of

time having to reopen that now to verify

that we have the proper certificates

installed and the correct certificates

removed from the computer we need to go

into our internet options to do that

we're going to go to the gear icon on

the top right corner and then we're

going to click internet options now I

want to minimize this a little bit so

that you guys don't have a blinding

white screen in your face I'm going to

go to an area options and we're going to

drag this over here now the first thing

I want to do is go to the general tab

which you should open up to and then

we're going to delete our browsing

history this is something that we need

to do anyway so I'm just gonna get out

of the way now so let's go ahead and

make sure you have preserved favorites

temporary Internet files cookies and

website data and history all checked and

then just go ahead and click delete now

the next thing we need to do is we need

to go to the content tab and then we're

going to click clear SSL state and then

we're going to click OK now this is a

very important button anytime you have a

failed login attempt to say AKO j KO n

KO or enterprise email you're going to

want to go into your internet options

and then click clear SSL state this will

allow you to have a fresh login attempt

once we figure out exactly what settings

are incorrect or if you selected the

wrong certificate now if you ever do

have a failed login attempt from

selecting the wrong

certificate you're going to want to go

into your internet options and then go

to the content tab and then click clear

SSL state after you do this you're going

to need to close all of your web

browsers every single tab every single

browser do you have open regardless if

it's Chrome Internet Explorer Firefox

you need to close them all and then you

can try again with a fresh login attempt

now that we've gotten that out of the

way we need to click the certificates

button the first thing we're going to do

on this is verify that we have all of

our personal certificates you should

have three certificates in here the to

do de mails in one DoD ID CA the only

time this will vary is if you are a dual

persona which means you currently or

have had at one time two cat cards at

the same time now if you are a dual

persona and you're trying to access your

enterprise email you will need to load

your pip certificate before you're

actually able to login via the online

web app now loading the pip certificate

is a completely different animal than

what we're trying to accomplish in this

video I may make a video specifically

for that in the future but for the

purposes of this video we're going to

continue on with the three certificates

that we have currently now if you have

more than three certificates you may

have duplicates you may have other users

on your computer as well we want to

remove all of them so we want to make

sure that you just have the three that

you currently need or if you are dual

persona and you do already have four

certificates on your computer and you

have other users as well do not remove

them because sometimes it is a pain to

get the pip certificate back onto the

computer if you are using Windows 10 now

if you do have duplicates you can go

ahead and just highlight all of these

certificates in your window to do that

you're going to need to scroll below all

the certificates that you have click on

the white space and drag Bolla

are dragged across and you'll be able to

just click remove now if you do have

just the three certificates you need you

don't need to do this I'm just showing

you that it is okay to do that and then

to reload your certs all I got to do is

just close out of everything close out

of your web browser and then take out

your cat card reinsert it and your

certificates will be reloaded so we can

just go ahead and not on a why opened

edge open up Internet Explorer go

back into our internet options go to the

content tab certificates and our three

certificates will be loaded back in now

that we've verified that our

certificates are loading we can go ahead

and go to the intermediate certification

authorities tab now this is where we're

going to verify that we have all the

certificates necessary to access

government websites and all of the

certificates that we need to have

removed removed so you're going to want

to verify that you have all of these DoD

CAS so it should start from 27 it may

start lower or higher depending on what

you have but if you go back to the

personal tab you really just need to

make sure you have the 33 series in

there but we're just going to verify

we've got all the ones that we need

which is 27 through 32 and then you're

going to hit DoD emails which should be

27 through 44 there we go and we have

the rest of our DoD ID CAS which is 33

through 44 and then we'll have the SWS

which is 35 through 48 now this is why I

always double check after running the

Cross cert removal tool because it does

not always remove the certs like it's

supposed to this is actually one of the

certificates that we need removed which

is DoD interoperability root CA 1 if you

do see this certificate you need to

remove it so we're going to go ahead and

click yes to that prompt and then we're

going to look for a couple other certs

as well we need to look for sha - one

federal root CA which I do not see we

have a root CA there's that one right

there

so if you see Sean - one federal root CA

you can go ahead and remove that one as

well I'll let you guys look at that for

a second sha - one federal root CA you

also see federal common policy on the

other side of it go ahead and remove

that and then we're going to go ahead

and look for more certs these will most

likely be two of each of the sha - ones

which I believe we already removed both

of those and then there may be another

federal common policy or a DoD

interoperability you see multiples of

those go ahead and remove them as far as

my computer we do not have any more of

the bad certificates on there so once

you have verified that you have both sha

- ones removed and both DoD

interoperability roots removed

you may also find an end trust or a

federal or another federal common policy

go ahead and just remove those if you do

see them I'll show you exactly which

ones you need to have removed now here

is the full list of certificates you

need to make sure that are not in that

intermediate certification authorities

tab you need to make sure the common

policies are removed the end trust which

will have the issued by from common

policy or n trust and then possibly a

Verisign digital ID certificate with the

date expired now I'm going to leave this

up here for a second so you can guys can

review this and make sure you do not

have any of these certificates in that

intermediate certification authorities

tab now that we have verified we have

all the correct certificates installed

and all of the bad certificates removed

we can go ahead and close out of this

certificates window after closing out of

the certificates window we're going to

go ahead and go to the connections tab

once you're on the connections tab you

can go ahead and click on land settings

and then verify that you have none of

these boxes checked if you have

automatically detect settings checked

uncheck it and then click OK once you

have that done you can go ahead and go

to this security tab on the security tab

you're going to want to click on trusted

sites and then you need to verify that

the slider is set to medium if it says

custom level in here all you need to do

is click on default level and it should

automatically set up your computer to be

set to medium once you have verified

that your slider is set to medium there

are a few things later on in here that

we may need to edit but for now we're

going to leave our trusted sites alone

on some computers you're going to need

to make sure that you do not have any

dot mil websites added to this website

zone but we will get to that later on if

we do encounter an error when trying to

log in now we are going to go ahead and

go to the Advanced tab inside of the

Advanced tab you're going to see this

browsing section within the browsing

section the ninth option down or the

third asterisk down you will see enable

third party browser extensions you need

to make sure this is not checked if it

is

checked uncheck it once you have done

that we're going to go down all the way

down to the bottom and you should see a

few different options down here on most

computers you will see use SSL 2.0 and

3.0 and then TLS 1.0 1.1 and 1.2 now

these settings we need to have selected

in this field will vary depending if you

are on Windows 7 Windows 8 or Windows 10

or even Windows 10 anniversary edition

now we're going to go ahead and get the

Windows 10 anniversary edition settings

out of the way now because it is very

easy to tell from the screen if you are

using the Windows 10 anniversary edition

now if you do not see a use SSL 2.0 that

means you are using the Windows 10

anniversary edition or a more secure

version of Windows so we're going to go

ahead and make sure we have use SSL 3.0

checked and use TLS 1.0 checked now

we're going to uncheck one point one and

one point two now these specific

settings are only if you do not have a

use ssl 2.0 as an option now having your

SSL and TLS is selected just like this

may be an option if none of the

variations we do after this work to get

you logged in so just remember that this

is also an option later on down the road

now for those of you that do have the

use ssl 2.0 option we're going to select

a couple of different settings now these

settings may apply to the people who do

not have the use ssl 2.0 in the future

but for now for the people that do not

have the use ssl 2.0 feature you're

going to keep these settings you may

need to change these later on down the

road if you encounter an error which you

will then follow these settings that I'm

using after this but for those of you

that currently do have to use SSL 2.0

option you're going to use these you're

going to make sure you uncheck use ssl

3.0 and then you're going to make sure

you have TLS 1.0 HX TLS 1.1 checked and

TLS 1.2 checked these are the basic

settings you want to start with all

computers now they may not always work

there may be a variation in these that

we have to mess around

with just to make sure that your

computer is happy with the settings but

for now we're going to go ahead and give

this a shot so you're going to click

apply and then you're going to click OK

now we can go ahead and login to ako now

I do not recommend going to ako from

Google or using a favorites button I

always recommend when troubleshooting to

actually type it in not to mention there

are fake websites that you can go to

from Google so I do not recommend doing

that I always recommend typing it in if

you do not know the web address it is

HTTP colon forward slash forward slash

WW u.s. army mil it should take you to

the DoD consent banner which you have to

click accept too if you're using a

favorites tab that you do not click the

accept it may not work so I always

recommend going to the main page and

clicking accept once you're here you're

going to make sure you select the CAC or

pippin and then you're going to go ahead

and click sign in and we're going to

confirm our certificates now we need to

make sure we select our DoD ID CA

certificate if this says email you do

not want to select it you need to make

sure you select your DoD ID certificate

after we select that we should be able

to log in we'll verify here in a second

we're going to type in our pin number

and we should be good to go we may get a

page cannot be displayed error where we

will have to edit our TLS and SSL

settings but as you can see I was able

to log in just fine now if you did get a

page cannot be displayed err I will show

you the variation in settings that we

need to change when we try to log into

the OWA to log into your enterprise

email via the online web app we're going

to go ahead and just type in the web

address for the OWA now you could just

click the email button here if you have

that but that may disappear in the

future so I'm not going to use that as

the route we're just going to go ahead

and type in the HTTP colon forward slash

forward slash web mail dot mil which

should take us to the USG consent banner

where we're going to go ahead and click

OK and then you're going to make sure

you select your DoD email certificate

now

if you are a dual persona and you have a

pivot you will have to do di DCA's pop

up and you'll need to make sure you

select your pip certificate

it should say pip on the certificate but

if it does not you will know you

selected the wrong one when you get an

f5 error now if you do get the f5 error

you will need to clear your SSL state

and then try the other certificate but

for now we're just going to go ahead and

select our email certificate and then

we're going to click OK we're going to

type in our pin number when it prompts

us and then we should get brought to a

page with another link on it now there

may be an instance where we see the page

cannot be displayed there which means we

will have to change our TLS and SSL

settings but I did not get it thankfully

now we're going to go ahead and click

the web the link there to bring us back

to the USG consent banner we're going to

go ahead and log in again I'm going to

type in our pin number again and then it

should bring us actually into our online

web app where we'll be able to view all

of our emails and there we go

now if you did receive an error when

trying to log into your enterprise email

whether that's a page cannot be

displayed error or an f5 error then I'll

show you the steps you need to do to

remedy that issue now if you did get an

f5 error you need to clear your SSL

state because it means you selected the

wrong certificate or you're a dual

persona and you need to have your pip

certificate loaded regardless if you did

get the f5 error or the page cannot be

displayed error you need to click your

clear SSL state button before we

continue now if you did get the f5 error

you need to go ahead and try and log

back in and make sure you select your

email certificate or if you have a pip

certificate you need to select your pip

certificate if you are able to log in at

that point then you should be good to go

now if you did get a page cannot be

displayed error you're going to go ahead

and follow the next steps what we can go

ahead and do now if you got the page

cannot be displayed errors we're going

to go to the Advanced tab they're going

to scroll all the way down to the bottom

and you're going to change these

settings you're going to go ahead and

check SSL 3.0 you're going to click

apply and then you're going to click OK

a and you're going to go back to HTTP

colon forward slash forward slash

webmail dot mil and then you're going to

go ahead and go through the login

process again this may work for me with

these settings we'll see I may now get

the page cannot be displayed there but

we'll find out here in just a second now

if you're able to log in with these

current settings then you should be good

to go I look like I'm going to actually

be able to log in with these settings as

well so let's hope that that is the case

now if you get a page cannot be

displayed error at any point in time I

will show you another variation in

settings that you can use looks like I

was able to log in this time so I'm

going to go ahead and sign out close the

window yes and then we're going to go

ahead and try again

now if you did get the page cannot be

displayed error again you're going to go

back to your internet options you're

going to go to the Advanced tab and

you're going to scroll all the way down

to the bottom and you're going to turn

off TLS 1.1 and 1.2 now these are back

to the settings that we originally set

up for the windows 10 anniversary

edition users so you're going to go

ahead and click apply and then click OK

now you're going to go ahead and go to

the military or to the OWA again which

is HTTP colon forward slash forward

slash webmail dot mil now I will also

show you why you do not go to it from

Google if I can do that see now if you

do it from Bing or Google and then you

try and click the first one which looks

like the right website you're going to

automatically get this page cannot be

displayed there which is what a lot of

people do so if that happens you just

need to make sure you actually go to the

website and try and log in alright now

that we've got those settings we're

going to go ahead and go and try and log

in again now since I do have all the bad

certificates any of these settings will

most likely work for me I also do not

have any firewall or antivirus

preventing me from being able to access

any web sites where if that is the case

I'm not going to be able to help you set

up your firewall or antivirus please do

not ask me to I will not do it but any

of these settings should be able to get

you to log in you just have to figure

out which ones your computer is happy

with it looks like all of these are

working for me currently now if you are

still experiencing the

age cannot be displayed error when you

try and login to your enterprise email

or you are not able to select the

correct certificates and you are on

Windows 7 or Windows 10 we may need to

do one of these two steps if you're on

Windows 7 you're going to need to

download active client which I'll show

you how to do in a second but if you are

on Windows 10 we're going to go ahead

and go to the how to use your CAC with

Windows 10 link we're going to scroll

down and we're going to see solution

number two smart card manager we're

going to go ahead and click the smart

card manager download we're going to go

ahead and select run and it's going to

go ahead and open after it downloads

we're going to go ahead and click yes to

that prompt the screen may have blacked

out that was just the administrator

prompt you click yes to it and they're

going to go ahead and click Next Next I

agree

next install you're going to let it

install wherever it wants to just going

to go through the whole process you're

going to see a couple screens flash up

that's fine you'll be prompted with next

again once this is done we're going to

go ahead and click Next

and then we're going to make sure that

the register certificates now is

selected we're going to go ahead and

click finish

you're going to need to enter your pin

number the code is going to go through

there and you're going to press any key

to continue and then you will be done

now we're going to go ahead and try and

log back into the OWA if you're on

Windows 10 and you've completed these

steps let's go ahead and log back in

again you can do web mail dot mil and

we're going to go ahead and log in again

now you'll see that these certificate

selections are a little bit different so

we're going to go ahead and just make

sure once again that you select your

email certificate if you are a dual

persona you will select your pip

certificate which will be one of these

two ID CAS

I'm not a dual persona so I'm going to

select my email cert and you're going to

go through the same process as before

I'm going to click type in your PIN

number you'll get prompted to click this

link and then you'll go ahead and login

again we know that I can login already

so I'm not going to go ahead and do that

now at this point you should be able to

login if you still get the page cannot

be displayed err with the smart card

manager installed you're going to need

to go ahead and go to the Advanced tab

and then just change these settings and

mess around with them back to the

settings that we were using before

because sometimes a smart card manager

as you can see will change the settings

which is what happened to me here even

though I can still log in with these

settings let's just verify that real

quick and I'm able to log in so let's go

ahead and just sign out of there real

quick close window yes but as you can

see the smart card manager did edit the

settings in the Advanced tab we want to

make sure that the enable third-party

browser extensions is still unchecked

and we'll scroll down and then you're

going to want to mess with these

settings again so you can just go back

to that point in the video where I walk

through all the different variations and

settings you can use to log in and

you'll just pick one of those settings

and one of those settings should work

now for the Windows 7 users you may have

to download active client which will go

ahead and do now so you're just going to

go to the military CAC homepage and then

you're going to click on step four

active client now if you are Army Air

Force this will all work for you but you

select your your branch we are going to

go ahead and do the army one and then

down here you will see Windows seven and

eight users if you have a Gemalto CAC

these are the some of the settings

you'll have to go through most people

should not have these cat cards anymore

but if you are if you do have these cat

cards you may experience the page cannot

be displayed there and just go ahead and

just follow the guide for that for read

more about older cats you can go ahead

and do that but for Windows 7 we're just

going to go ahead and go down here if

you have 70 64-bit or 32-bit you select

your link that you need we're going to

go ahead and do the 64-bit we're going

to log in to AKO make sure you select

the CAC or pippin and then go ahead and

login with your DoD ID certs

and once we log in we should be prompted

to the download page you're just going

to go ahead and click the checkbox and

then click download we're going to go

ahead and click download again and the

download should begin now I cannot

install this on Windows 10 if you do

install activex client on Windows 10 it

will break everything and you need to

uninstall it you will not be able to

login to ako or enterprise email with

the actual active client installed I'll

go ahead and open it up and basically

all you do is you just click Next to

everything and let it install where it

wants to you're going to have to restart

your computer and then you should be

able to log in you may have to edit the

TLS and SSL settings and variations when

you may have to try all the variations

we tried earlier in the video but pretty

much just install this and then try and

log in and you should be good to go now

at this point if you are still having

trouble and you're on Windows 7 or

Windows 10 and you have already

installed active client or a smart card

manager and tried all the different

variations for the TLS and SSL settings

and made sure that you actually went

into your internet options go to the

content tab clear SSL state in between

each attempt and you've closed all of

your web browsers in between each

attempt because the settings do not save

until you close the web browser then you

can go ahead and do the following step

you can go ahead and open up your

internet options then you're going to go

to the security tab you're going to

click on trusted sites then you're going

to click on sites and then you can add

this website to the trusted sites zone

you're going to type in HTTP colon

forward slash forward slash asterisk dot

mail dot mil go ahead and add that to

the websites field this is a placeholder

for all of the OWA pods that will allow

you to log into them so you go ahead and

close out of that and you're going to

click OK you're going to close out of

all of the web browsers you're going to

reopen Internet explorer and you're

going to go ahead and try and log back

into the OWA which is web mail dot mil

do not try and google it it doesn't work

and then we're going to click OK

this may prevent me from being able to

log in we'll find out in a second

I'm going to go ahead and click the link

click that again and we should be good

to go now in some cases we don't add

that earlier in the video because

sometimes that will actually break it

and will not allow you to login that's

why when I do it as a last attempt at

the end now if you are still having

issues logging in after this that means

you probably have a firewall or

antivirus issue or you had messed with

the settings before we started all of

this and mess something up that we have

not fixed so if you're still having

issues you're going to need to go into

your internet options you're going to

need to go to the Advanced tab you're

going to click the restore Advanced

Settings and then you're going to click

the reset button as well you're going to

restart your computer and then you are

going to start from scratch you're going

to do every single step over again make

sure you do not skip a single step and

then you should be good to go now if you

still have issues you can go ahead and

leave a comment with questions and I'll

try and get back to them as soon as I

can but as long as you do all of these

steps just like I did I set this

computer up from scratch you should be

good to go but if you guys do have

further issues go ahead and leave a

comment below and make sure that you

verify that nobody else has asked the

question already because I'd like to

keep the comments to a minimum if

possible that way people who are

currently having issues can view the

comments easier now I hope this video

did help you guys get logged in if you

did like the video don't forget to hit

that like button now if some of you are

still having trouble logging in after

doing all these steps resetting your

advanced settings resetting this and

you've gone through all the steps again

exactly how I have gone through them go

ahead and leave a comment below with the

exact error that you've gone through and

we may be able to find a different issue

but it most likely is your firewall or

antivirus I cannot advise on that at all

I am sorry but go ahead and leave any

questions you have in the comments below

verify that nobody else's ask the same

question that I have not responded to it

already

so that way anyone who is having issues

is able to view any possible remedies

quickly now last but not least any time

your computer goes through a major

update all of these settings may be

reset and you may not be a

to access a KO or enterprise email again

so that means you're going to have to do

all of these steps over again now if you

do end up having to do these steps over

again I highly recommend doing the

restore advanced settings and then

resetting your internet explorer

settings and then just going through all

these steps again and updating your do

di certificates you're gonna have to

make sure those are up-to-date every few

months but otherwise I hope this video

helped you guys out and if you did like

the video just go ahead and hit that

like button so that hopefully other

people will be able to view this video

as well and I hope you guys have a great

day bye