I cannot access US Gov't Sites from home using my CAC; certs not seen by Firefox.
I cannot access US Gov't Sites from home using my CAC. With internet explorer, I am able to access US Gov't sites on mail.mil and us.af.mil. I have made my CAC certs available to windows and even tried to export/import from IE to FF, but that does not work. In FF, there certificates dialogue box shows no personal certificates.
I recently switched to FF on both my home and US Gov't machines and at work I can access the gov't site without a problem, but I am on the .mil network there, so it's not a good comparison.
I am using Windows 7 Pro w/ symantec endpoint protection and ZoneAlarm Firewall on an older Dell 64b machine. I use ActiveClient SmartCard manager, and until now, I've not had a problem in years getting to CAC-enabled gov't websites.
Thanks
Krejt Përgjigjet (10)
What is the exact error messages?
There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connection certificates and send their own.
https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can
https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites
https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message
https://support.mozilla.org/en-US/kb/connection-untrusted-error-message
Do you have the DoD certificates installed?
FredMcD said
What is the exact error messages?
Thank you for your quick reply and I am sorry i did not answer sooner. I was following your leads as time allowed to try and solve the problem. The msg I get is:
"This application requires a valid client EMAIL certificate. Please check your client certificate settings and try again."
Basically, I have downloaded and installed InstallRoot 5.2 to my win10, 64b machine and all certs are properly installed as far as I can tell. i have also installed activclient 6.2 and made all certs available to windows. Lastly, I manually imported into Firefox the 6 DoD certs, "...Mozilla Rootx.p7b" that are used on my work machine.
The bottom line is that using IE 11, I can access all publicly available (i.e., not .mil restricted) U.S. Gov't websites, including the new cloud-based mail server, the timekeeping app, and the defense travel system. I cannot get to anything that requires a CAC using Firefox.
And this may be important. I have tracking protection turned on always, and I did have Accept Third Party Cookies only from Visited. That last was causing some issues, so I had to turn that back to Always.
And this may also matter. In IE, I can unblock pop-ups for whole domains, e.g., *.af.mil. FF will not let me do that (at least I can't figure out how) because it wants 'exact' URLs. This is a very real problem because I start with portal websites and enter the domain links from there, as in the pay website.
And finally, on a similar, but possibly not related note, FF was blocking some government sites and other non-dangerous until I turned off the Deceptive Content ... checks. Now I have that all turned off and I haven't anymore issues with any links.
Again, thank you for your reply. Please don't be put off by my delay in response, I'm working this issue as I can. Your info was helpful and I will be grateful for any other ideas. I do NOT want to install Chrome on any machine of mine, but I may have no choice since IE is becoming a problem for some gov't links.
Cheers, SangerM
.edit: fixed post as it was as a quote and horizontal scrolling due to spaces before each sentence.
Ndryshuar
cor-el said
Do you have the DoD certificates installed?
Cor-el, I posted a long answer to a prior answer, but I wanted to say thank you anyway directly. Your msg was a starting point for what I've been trying the past week. As described in my follow-up, I did what I could with certs, etc. But no joy.
Any further ideas will be appreciated.
Thank you again, SangerM
If your Firefox at work was configured by the IT department, possibly they made a settings change which affects whether Firefox uses only its own certificate store or uses the Windows certificate store. This sometimes is a shortcut to importing certificates, but I don't know whether it would make a difference in this case. If you want to try it:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.
(2) In the search box above the list, type or paste enterp and pause while the list is filtered
(3) Double-click the security.enterprise_roots.enabled preference to switch the value from false to true
If you create an exception for af.mil (https://af.mil) then this should include all sub domains, so you need to omit the '*' wildcard character in Firefox.
cor-el said
If you create an exception for af.mil (https://af.mil) then this should include all sub domains, so you need to omit the '*' wildcard character in Firefox.
Thank you! I should have guessed as much... Too much time doing things one way. I appreciate that.
jscher2000 said
If your Firefox at work was configured by the IT department, possibly they made a settings change which affects whether Firefox uses only its own certificate store or uses the Windows certificate store. This sometimes is a shortcut to importing certificates, but I don't know whether it would make a difference in this case. If you want to try it: (1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk. (2) In the search box above the list, type or paste enterp and pause while the list is filtered (3) Double-click the security.enterprise_roots.enabled preference to switch the value from false to true
-- I tried that and saw no difference. Interestingly, I get different error msgs from different US gov't sites. One msg for several sites says, "Secure Connection Failed", a different site (for webmail) reports, "Your connection is not secure." I tried making an exception for the sites using the advanced option, but still no joy. (also, the problem is the same on both my Win10Pro 64b machine and my older Win7Pro 64b machine).
-- Also, When I check the certificates stores, it shows no certs under "Your Certificates", but it shows four different certs for me under "People."
-- Anyway, this has moved into the too hard, not worth pursuing anymore column for me. IE still works well enough w/ most gov't sites, and although FF is faster, cleaner, and a lot more user-friendly (so far), I should not be having to work this hard to do something I've been doing with relative ease for the past 10 years at least.
-- Thanks all for the help and suggestions, but I just don't have time to be a software beta tester anymore. Sorry.
Regards, SangerM.
The DoD certificates would appear under Authorities. Is the CAC reader recognized and enabled (logged on) if you check this in the security device manager?
- Options/Preferences -> Privacy & Security
Certificates: Security Devices
If you decide to try again, compare your settings in the Certificate Manager on the work machine to see whether that provides any insights.