Technical issues. Hardware, software upgrades, misleading technical information, etc. For example, A USB smartcard reader stops working. After some trial and error, I get it working in another USB port. Was it an issue with the original port, with other connected USB devices, say, an external disk drive, affecting it, a problem with the reader itself, some recent updates, e.g., to device drivers?
As I write, my primary PC is making a second attempt at the latest Windows 10 feature update. It had successfully completed on my newer PC, although it seemed to take forever. I knew something had happened when I took a short nap and woke up to find my PC ready for logon and it did not launch into some sort of "preparing your desktop" step. I quickly confirmed the update had failed by looking at the Update history. No clue as to what happened, but at least the system had reverted to a usable state. [It has since failed again while I composed this post, at about the 58% completion point. I tried running the Updates troubleshooter to no result. This is not the first time I've run into multiple Update failures.] My older devices are "not yet ready" for the update. I know in the past they eventually get usable updates, but I find it annoying to having different versions across my devices. But even launching Setup/Windows Update can be an issue at times.
Then there's Adobe Flash Player. There are a number of issues here, including its use with certain mandating training software I use. A big upcoming issue is the product's end of life at the end of the year, with all major browsers announcing related end of support. There have been some chronic security lag patching, never mind browsers handle Flash Player support differently, e.g., Chrome vs. Firefox. One of the things I found that using the software through Chrome required manually changing the browser window to enable Flash Player; apparently there's no way to whitelist URLs to allow Flash Player. I discovered the Player issue when I got to a simulation exercise in the courseware and it just wouldn't advance--it was just spinning. I had contacted technical support; he didn't seem to run into the issue using my account--and then at some point he mentioned using Firefox. I recall in the past when using cable TV scheduling with Chrome. I would get some "right-click to enable Adobe" thing but at some point it changed to clicking at the start of the address prompt. However, in the case of the training software, I never got a warning to the effect there was a Flash Player issue.
And then I got to this one course where Flash Player was allowed, but I got a warning the courseware required Flash Player to display the screen. Now what? I remember the support guy had initially tested on Firefox. So I launched my copy of Firefox, only to discover Flash Player wasn't installed, and I eventually realized I had to download the player from Adobe. I remember wondering how to verify the software was installed in Firefox. I eventually launched the courseware and saw something to the effect of right-click to use Flash Player.
I know when I wrote my recent posts on issues with government smartcard CAC's I saw an emphasis in other sources on running the 32-bit version of Internet Explorer in order to use ActiveX functionality in order to use PKI for secure email (digital signature and encryption). If you're running a 64-bit OS, like many of my own PC's have, you should have both 64- and 32-bit versions. Long story short, I started launching the 32-bit iexplore. For other reasons, I started looking at Process Explorer from Sysinternals to look at the iexplore process(es) (right-click/Properties to see the executable path name). That's when I discovered 64-bit IE was still being launched concurrently; more to the point, even if I launched 64-bit IE, I could still use secure email functionality; I think I read somewhere that IE-64 will open a frame to support 32-bit requirements when needed.
On a side note, I have discovered that using a VPN can have some unpleasant side effects. For example, I found sending an email using Gmail was failing but if I momentarily disconnected the VPN, I could connect to the SMTP server. I've also found at least a dozen secure websites balking they don't recognize my IP. From a security standpoint, I appreciate the checks, but it is a usability tradeoff and somewhat defeats the purpose of using a VPN.
Reflections, tips and advice on information technology, with an emphasis on learnability and usability, using examples from the PC/Windows platform
Monday, June 22, 2020
Saturday, June 6, 2020
Troubleshooting Secure Email Issues With a CAC
I was tempted to simply add a second addendum to my recent CAC post, but I wanted to expand on relevant comments.
To summarize, a (government) CAC smartcard chip contains PKI infrastructure, including private certificates and associated private keys. If I use third-party software, like ActivClient, I can see 3 certificates (identity, signature, and encryption). The identity certificate is used to authenticate, say, to a government website. The email signature is used to provide non-repudiation of the message source and encryption ensures confidentiality. In practice, the private infrastructure is protected by the CAC PIN. So, for example, in accessing a secure government website, including email, I'll usually get a pop-up to select the (identity) certificate; there's a second step (on my home system) where it's testing the card reader and reading the CAC; on an intermittent basis I'll sometimes get a garbage popup saying something like it can't use the certificates on the CAC. What this really means in practice is I need to reseat the CAC--remove the card from the CAC reader and reinsert it. (IMPORTANT practical note: if I'm using Internet Explorer 32-bits, I need to go to Internet Options, Content Panel and clear the SSL state before I can reread the CAC.) Once I get confirmation that the device is ready and click OK, I should be prompted for my CAC PIN. If successful, I'll usually land at a USG warning banner page (in IE, I'll sometimes have to refresh the webpage). Similar PIN entries occur if I sign and/or encrypt outgoing emails for security.
Now I ran into some weird issues soon after installing/testing S/MIME for use in IE-32 as described in the last message (needed for secure email functionality) I recall being able to pull up a digitally signed and/or encrypted email from another person and sending my own signed/encrypted email. A few days later, I tried pulling up another email from the same person, and the entire message body was blank. What the devil? Was he encrypting from an obsolete public certificate? A separate, weird issue: all of a sudden I couldn't send even regular emails from Outlook Web Access; clicking on the send button didn't do anything.
I really didn't want to contact the government helpdesk on the issues; I did have a contact with the local group servicing the laptop, and he mentioned he had also run into a blank email issue with OWA but not when using the Outlook client on his laptop (not available to me).
I did a Google search on my issues and found this Microsoft webpage where the user's experience exactly matched mine. When I got to Jeremy Nickels' detailed response and saw 231 readers had endorsed it, I was convinced I had stumbled across a solution for apparently a common problem. The key steps are up to step 10 and involve a number of tweaks to IE settings, and yes, they resolved my functionality issues. I didn't check militarycac.com; I think when I tested that first signed/encrypted email after installing S/MIME via a related note, I assumed no other tweaks were necessary.
To summarize, a (government) CAC smartcard chip contains PKI infrastructure, including private certificates and associated private keys. If I use third-party software, like ActivClient, I can see 3 certificates (identity, signature, and encryption). The identity certificate is used to authenticate, say, to a government website. The email signature is used to provide non-repudiation of the message source and encryption ensures confidentiality. In practice, the private infrastructure is protected by the CAC PIN. So, for example, in accessing a secure government website, including email, I'll usually get a pop-up to select the (identity) certificate; there's a second step (on my home system) where it's testing the card reader and reading the CAC; on an intermittent basis I'll sometimes get a garbage popup saying something like it can't use the certificates on the CAC. What this really means in practice is I need to reseat the CAC--remove the card from the CAC reader and reinsert it. (IMPORTANT practical note: if I'm using Internet Explorer 32-bits, I need to go to Internet Options, Content Panel and clear the SSL state before I can reread the CAC.) Once I get confirmation that the device is ready and click OK, I should be prompted for my CAC PIN. If successful, I'll usually land at a USG warning banner page (in IE, I'll sometimes have to refresh the webpage). Similar PIN entries occur if I sign and/or encrypt outgoing emails for security.
Now I ran into some weird issues soon after installing/testing S/MIME for use in IE-32 as described in the last message (needed for secure email functionality) I recall being able to pull up a digitally signed and/or encrypted email from another person and sending my own signed/encrypted email. A few days later, I tried pulling up another email from the same person, and the entire message body was blank. What the devil? Was he encrypting from an obsolete public certificate? A separate, weird issue: all of a sudden I couldn't send even regular emails from Outlook Web Access; clicking on the send button didn't do anything.
I really didn't want to contact the government helpdesk on the issues; I did have a contact with the local group servicing the laptop, and he mentioned he had also run into a blank email issue with OWA but not when using the Outlook client on his laptop (not available to me).
I did a Google search on my issues and found this Microsoft webpage where the user's experience exactly matched mine. When I got to Jeremy Nickels' detailed response and saw 231 readers had endorsed it, I was convinced I had stumbled across a solution for apparently a common problem. The key steps are up to step 10 and involve a number of tweaks to IE settings, and yes, they resolved my functionality issues. I didn't check militarycac.com; I think when I tested that first signed/encrypted email after installing S/MIME via a related note, I assumed no other tweaks were necessary.
Tuesday, June 2, 2020
Some Notes About Using CAC's on a Home PC
Common Access Cards (CAC's) are government ID smartcards. Basically they come with a chip on which you have some PKI certificates installed (used for network authentication, digital signing and email encryption/decryption in conjunction with a PIN) and is often used as a way to access certain government sites/ or buildings and certain government websites; government employees and contractors may also need additional proximity cards and/or smartcards for access to certain restricted buildings or areas at a government site. (This is not privileged information; in fact, you'll find a Wikipedia page on CAC's, and an Internet search will reveal a number of websites which discuss practical aspects of using CAC's, resolving issues, etc., not requiring access to government networks, including militarycac.com, which I'll briefly describe as a key resource below.)
I've needed CAC's for multiple gigs over the past decade. I say plural because I'm not a civilian (federal employee) and typically they are tied to contract expiration's and also must be surrendered if you quit or otherwise leave your position (need to have basis). It can be painful; for example, in a gig I had from 2017 to 2019, contract option years were figured into CAC expiration, and I had to get mine renewed; there were technical issues because the new CAC certificates were incompatible with old secure emails.
The COVID-19 crisis has backlogged local CAC processing, and so I had to go to a government facility in downtown Baltimore to get my CAC. I had been issued a government laptop off-site; basically the way the process works, my CAC is used to access the notebook and it first needs to be authenticated by connecting securely to the government network, and then authentication is cached to the PC, enabling logon (including without network authentication). Long story short, there's a known technical issue with certain newer CAC certificates from one of a couple of certificate authorities, and the network balked at my CAC because of that problem.
The government laptop comes with a card reader, but it's not usable because I can't logon without the cached CAC authentication (you don't get usable feedback; it simply states it's unable to validate my credentials, not that I entered an invalid PIN). I made an appointment at a desktop support group at the local facility, and the local technician identified the CA issue mentioned earlier.
This puts me in a bind because I needed to access my government email to respond to related service issues, also to do certain required training/certificates to get my own (vs. a visitor) network account, and whereas I didn't have to connect to the government network to access at least some alternatives, the websites typically require CAC authentication. So I had to acquire a USB smartcard reader; you can buy one for about $15 from a variety of vendors at Amazon.com. In addition, in my experience, I also had to buy a licensed copy of ActivClient for about $35 (see militarycac.com for the vendor). (Some sources or experts will tell you that you don't need the software with Windows 10, but in my experience, while Windows 10 could see the smartcard reader, it looked like an empty/inaccessible disk drive.) I also downloaded and installed/ran two executables from militarycac.com: InstallRoot...msi and HomeUserCertTool..zip.
The device "documentation" sucked. Let me quote:
"Red Light = Functional" (will change to blue when inserting CAC card)
Actually, the device comes with two lights, a power light, which is blue, and a second red light which blinks/doesn't change color with CAC insertion.
It also states "For 3rd party software, certificate, see militarycac.com". Presumably they are referring to ActivClient (see above). Once you have ActivClient installed, you should be able to see/open the CAC and see the certificate.
They also provide a URL to download the device driver. No such driver available, but apparently the Microsoft device driver is functional. As I said, the documentation sucks.
Finally, many government websites certify on Internet Explorer for support purposes. I found one training website worked well with Chrome. Some browsers, including Chrome, don't like certificates of other websites and won't let you to the URL. Ironically, I found webmail seems to work well with a Chrome cousin, Brave. [See addendum below.] Be careful with URL's; for example. one site required 'www.' at the beginning of the domain name, and another seemed to require '/owa' at the end. In Internet Explorer you may need to clear (content) state to reread your CAC and/or clear certificates via another security tab in Internet options. Sometimes you will get a failed validation, which can be resolved by removing and reinserting your card and trying to logon by CAC again. In a few cases you may need to refresh your browser to see your USG banner warning page.
Your mileage may vary; I don't know/think all or most will have two lights, one blue or one red. (I still can't forget my Commodore 64 floppy drive documentation back in grad school warned something like "Never insert/remove a floppy with the green light on!" Well, the green light was a power light! It also warned, "Don't power down the drive with a floppy in it!" Okay, how the hell are you supposed to use a program disk? I decided they really meant to say when you were writing to a data disk (say, an amber light blinking), but I really didn't want to lose my $35 program floppy.) Hopefully this guidance helps others; militarycac.com is very good but lacks the context I've provided here.
[Important addendum: 6/2/20.] In using Brave I was referring to regular emails, i.e., not using secured email functionality like signed/encrypted emails. In Windows, this is enabled by S/MIME functionality accessible through and/or installed with 32-bit Internet Explorer (\Program Files (x86)\Internet Explorer\iexplore.exe) in conjunction with ActiveX controls. In my system, S/MIME was not installed by default, but a link to the install was available by drilling through the Options menu in Outlook Web App. Note I sometimes have to refresh IE after signing into OWA with my CAC ID/PIN to get the USG banner warning, a prerequisite to opening the mail app.
I've needed CAC's for multiple gigs over the past decade. I say plural because I'm not a civilian (federal employee) and typically they are tied to contract expiration's and also must be surrendered if you quit or otherwise leave your position (need to have basis). It can be painful; for example, in a gig I had from 2017 to 2019, contract option years were figured into CAC expiration, and I had to get mine renewed; there were technical issues because the new CAC certificates were incompatible with old secure emails.
The COVID-19 crisis has backlogged local CAC processing, and so I had to go to a government facility in downtown Baltimore to get my CAC. I had been issued a government laptop off-site; basically the way the process works, my CAC is used to access the notebook and it first needs to be authenticated by connecting securely to the government network, and then authentication is cached to the PC, enabling logon (including without network authentication). Long story short, there's a known technical issue with certain newer CAC certificates from one of a couple of certificate authorities, and the network balked at my CAC because of that problem.
The government laptop comes with a card reader, but it's not usable because I can't logon without the cached CAC authentication (you don't get usable feedback; it simply states it's unable to validate my credentials, not that I entered an invalid PIN). I made an appointment at a desktop support group at the local facility, and the local technician identified the CA issue mentioned earlier.
This puts me in a bind because I needed to access my government email to respond to related service issues, also to do certain required training/certificates to get my own (vs. a visitor) network account, and whereas I didn't have to connect to the government network to access at least some alternatives, the websites typically require CAC authentication. So I had to acquire a USB smartcard reader; you can buy one for about $15 from a variety of vendors at Amazon.com. In addition, in my experience, I also had to buy a licensed copy of ActivClient for about $35 (see militarycac.com for the vendor). (Some sources or experts will tell you that you don't need the software with Windows 10, but in my experience, while Windows 10 could see the smartcard reader, it looked like an empty/inaccessible disk drive.) I also downloaded and installed/ran two executables from militarycac.com: InstallRoot...msi and HomeUserCertTool..zip.
The device "documentation" sucked. Let me quote:
"Red Light = Functional" (will change to blue when inserting CAC card)
Actually, the device comes with two lights, a power light, which is blue, and a second red light which blinks/doesn't change color with CAC insertion.
It also states "For 3rd party software, certificate, see militarycac.com". Presumably they are referring to ActivClient (see above). Once you have ActivClient installed, you should be able to see/open the CAC and see the certificate.
They also provide a URL to download the device driver. No such driver available, but apparently the Microsoft device driver is functional. As I said, the documentation sucks.
Finally, many government websites certify on Internet Explorer for support purposes. I found one training website worked well with Chrome. Some browsers, including Chrome, don't like certificates of other websites and won't let you to the URL. Ironically, I found webmail seems to work well with a Chrome cousin, Brave. [See addendum below.] Be careful with URL's; for example. one site required 'www.' at the beginning of the domain name, and another seemed to require '/owa' at the end. In Internet Explorer you may need to clear (content) state to reread your CAC and/or clear certificates via another security tab in Internet options. Sometimes you will get a failed validation, which can be resolved by removing and reinserting your card and trying to logon by CAC again. In a few cases you may need to refresh your browser to see your USG banner warning page.
Your mileage may vary; I don't know/think all or most will have two lights, one blue or one red. (I still can't forget my Commodore 64 floppy drive documentation back in grad school warned something like "Never insert/remove a floppy with the green light on!" Well, the green light was a power light! It also warned, "Don't power down the drive with a floppy in it!" Okay, how the hell are you supposed to use a program disk? I decided they really meant to say when you were writing to a data disk (say, an amber light blinking), but I really didn't want to lose my $35 program floppy.) Hopefully this guidance helps others; militarycac.com is very good but lacks the context I've provided here.
[Important addendum: 6/2/20.] In using Brave I was referring to regular emails, i.e., not using secured email functionality like signed/encrypted emails. In Windows, this is enabled by S/MIME functionality accessible through and/or installed with 32-bit Internet Explorer (\Program Files (x86)\Internet Explorer\iexplore.exe) in conjunction with ActiveX controls. In my system, S/MIME was not installed by default, but a link to the install was available by drilling through the Options menu in Outlook Web App. Note I sometimes have to refresh IE after signing into OWA with my CAC ID/PIN to get the USG banner warning, a prerequisite to opening the mail app.
Subscribe to:
Posts (Atom)