Conflicting CAC Middleware/Software Causes NetSign CAC Anomalies
Description:
This article addresses an anomaly using NetSign CAC as a result of previously installed CAC Middleware
Product:
NetSign CAC
Operating Systems:
Windows 2000
Issue / Problem:
If another vendor's CAC middleware was installed or removed prior to installation of the NetSign CAC middleware, some anomalies may occur when trying to access the CAC card, particularly when trying to sign encrypted email.
The anomaly occurs if middleware from "Vendor A" registered the certificate(s) and private key location from the CAC card to the local certificate store AND did not delete those certificates from the certificate store and did not delete their CSP registry entries when the middleware was uninstalled. In this example, when NetSign CAC is installed, the certificates would not register in the local certificate store because they already exist from the previous vendors middleware, so when an application, such as Outlook, needs to use the certificate and private key, it only knows to look for the CSP provided by "Vendor A" because that certificate and private key information is linked to "Vendor A's" CSP and not the CSP from NetSign CAC.
Solution:
If another vendor's CAC middleware was installed or removed prior to installation of the NetSign CAC middleware, some anomalies may occur when trying to access the CAC card, particularly when trying to sign encrypted email.
The anomaly occurs if middleware from "Vendor A" registered the certificate(s) and private key location from the CAC card to the local certificate store AND did not delete those certificates from the certificate store and did not delete their CSP registry entries when the middleware was uninstalled. In this example, when NetSign CAC is installed, the certificates would not register in the local certificate store because they already exist from the previous vendors middleware, so when an application, such as Outlook, needs to use the certificate and private key, it only knows to look for the CSP provided by "Vendor A" because that certificate and private key information is linked to "Vendor A's" CSP and not the CSP from NetSign CAC.
In order to correct this issue, a few steps must be taken, which require administrative privileges, prior to installing NetSign CAC:
* Uninstall NetSign CAC and any other previously installed CAC Middleware
* Remove corresponding CAC certificates from the certificate store via Internet Explorer (IE)
* Delete the "Security Setting Name" (Profile) associated with the CAC card via Outlook
* Delete CAC CSP from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards and disable "Lock Workstation" upon smart card removal feature if previously set by ActivCard Gold.
Procedures
Cautionary Notice: Please consult your administrator before proceeding so that you are not in violation of any local security policies.
Manual Process
(Note: All steps require administrative privileges):
Remove ONLY the corresponding CAC certificates from the certificate store via Internet Explorer:
1. Open Internet Explorer
2. Click: Tools > Internet Options > Content > Certificates
3. Highlight the certificate(s) ONLY associated with your CAC card.
4. Click Remove A "Certificate" message similar to You cannot decrypt data encrypted using the certificates. Do you want to delete the certificates? will be displayed.
5. Click: Yes to delete certificates Note: Certificates will be automatically registered upon card insertion after installation is complete.
6. Click: Close
7. Click: OK
8. Exit Internet Explorer.
Delete the "Security Setting Name" (Profile) associated with the CAC card via Microsoft Outlook:
1. Open Outlook
2. Click: Tools > Options > Security > Settings
3. On the Security Setting Name pull down menu, highlight ONLY the profile associated with the CAC card
4. Select Delete
5. Click: OK
6. Click: OK
7. Close Outlook
Delete CAC CSP from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards and disable "Lock Workstation" upon smart card removal feature if previously set by ActivCard Gold.
WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall the operating system. SSP-Litronic does not guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Back up your system's registry first and use the
Windows Registry Editor at your own risk.
1. Click: Start > Run
2. In the "open:" box, type REGEDIT
3. Click to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards
4. Double click to expand Smart Cards. A list of CSP entries will be displayed.
WARNING: DO NOT delete any key other than that of the CAC CSP that had been previously installed by another vendor middleware.
5. Highlight the following keys (only one, both or none of keys may be listed):
ActivCard Gold (Oberthur Galactic)
ActivCard Gold (Schlumberger Cyberflex Access)
6. Right click on the key and click: Delete
7. Click: Yes to "Confirm Key Delete"
8. Note: Windows 95, 98 and NT users only, proceed to step 10.
9. Click to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
10. In the panel to the right of the Winlogon key, look for scremoveoption, the value should be "0", if not, then:
1. Right click on scremoveoption
2. Select Modify
3. Enter 0 in the Value Data field
11. Click on Registry menu
12. Click: Exit
13. Restart your computer
14. Install NetSign CAC middleware
Automatic Process.
SSP Litronic has prepared an application (ActivClean.exe) that will make the changes as outlined in the section above ("Manual Process"). It is provided as a convenience only and may not correct the issue with all versions of ACG.
1. In order to correct this issue, a few steps must be taken, which require administrative privileges, prior to installing NetSign CAC:
1. Uninstall NetSign CAC and any other previously installed CAC Middleware.
2. Copy the Activclean.exe file to your desktop.
3. Double-click the file Activclean.exe and reboot when requested.
2. Now install NetSign CAC as instructed. Contact your Administrator for additional details.
3. Note: SSP Litronic does not warrant that use of this application or procedure will correct defects caused by other third (3rd) party vendors or correct other system problems.
4. Contact your NetSign CAC account representative for additional information on this or any other sales/support related issue.
Keywords: Active, Activclean, Third Party CAC Middleware, Anomaly, Activ, ActivCard, ACG, 50123
Last Updated: May 24th, 2004 at 12:14 PM
Description:
This article addresses an anomaly using NetSign CAC as a result of previously installed CAC Middleware
Product:
NetSign CAC
Operating Systems:
Windows 2000
Issue / Problem:
If another vendor's CAC middleware was installed or removed prior to installation of the NetSign CAC middleware, some anomalies may occur when trying to access the CAC card, particularly when trying to sign encrypted email.
The anomaly occurs if middleware from "Vendor A" registered the certificate(s) and private key location from the CAC card to the local certificate store AND did not delete those certificates from the certificate store and did not delete their CSP registry entries when the middleware was uninstalled. In this example, when NetSign CAC is installed, the certificates would not register in the local certificate store because they already exist from the previous vendors middleware, so when an application, such as Outlook, needs to use the certificate and private key, it only knows to look for the CSP provided by "Vendor A" because that certificate and private key information is linked to "Vendor A's" CSP and not the CSP from NetSign CAC.
Solution:
If another vendor's CAC middleware was installed or removed prior to installation of the NetSign CAC middleware, some anomalies may occur when trying to access the CAC card, particularly when trying to sign encrypted email.
The anomaly occurs if middleware from "Vendor A" registered the certificate(s) and private key location from the CAC card to the local certificate store AND did not delete those certificates from the certificate store and did not delete their CSP registry entries when the middleware was uninstalled. In this example, when NetSign CAC is installed, the certificates would not register in the local certificate store because they already exist from the previous vendors middleware, so when an application, such as Outlook, needs to use the certificate and private key, it only knows to look for the CSP provided by "Vendor A" because that certificate and private key information is linked to "Vendor A's" CSP and not the CSP from NetSign CAC.
In order to correct this issue, a few steps must be taken, which require administrative privileges, prior to installing NetSign CAC:
* Uninstall NetSign CAC and any other previously installed CAC Middleware
* Remove corresponding CAC certificates from the certificate store via Internet Explorer (IE)
* Delete the "Security Setting Name" (Profile) associated with the CAC card via Outlook
* Delete CAC CSP from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards and disable "Lock Workstation" upon smart card removal feature if previously set by ActivCard Gold.
Procedures
Cautionary Notice: Please consult your administrator before proceeding so that you are not in violation of any local security policies.
Manual Process
(Note: All steps require administrative privileges):
Remove ONLY the corresponding CAC certificates from the certificate store via Internet Explorer:
1. Open Internet Explorer
2. Click: Tools > Internet Options > Content > Certificates
3. Highlight the certificate(s) ONLY associated with your CAC card.
4. Click Remove A "Certificate" message similar to You cannot decrypt data encrypted using the certificates. Do you want to delete the certificates? will be displayed.
5. Click: Yes to delete certificates Note: Certificates will be automatically registered upon card insertion after installation is complete.
6. Click: Close
7. Click: OK
8. Exit Internet Explorer.
Delete the "Security Setting Name" (Profile) associated with the CAC card via Microsoft Outlook:
1. Open Outlook
2. Click: Tools > Options > Security > Settings
3. On the Security Setting Name pull down menu, highlight ONLY the profile associated with the CAC card
4. Select Delete
5. Click: OK
6. Click: OK
7. Close Outlook
Delete CAC CSP from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards and disable "Lock Workstation" upon smart card removal feature if previously set by ActivCard Gold.
WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall the operating system. SSP-Litronic does not guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Back up your system's registry first and use the
Windows Registry Editor at your own risk.
1. Click: Start > Run
2. In the "open:" box, type REGEDIT
3. Click to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards
4. Double click to expand Smart Cards. A list of CSP entries will be displayed.
WARNING: DO NOT delete any key other than that of the CAC CSP that had been previously installed by another vendor middleware.
5. Highlight the following keys (only one, both or none of keys may be listed):
ActivCard Gold (Oberthur Galactic)
ActivCard Gold (Schlumberger Cyberflex Access)
6. Right click on the key and click: Delete
7. Click: Yes to "Confirm Key Delete"
8. Note: Windows 95, 98 and NT users only, proceed to step 10.
9. Click to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
10. In the panel to the right of the Winlogon key, look for scremoveoption, the value should be "0", if not, then:
1. Right click on scremoveoption
2. Select Modify
3. Enter 0 in the Value Data field
11. Click on Registry menu
12. Click: Exit
13. Restart your computer
14. Install NetSign CAC middleware
Automatic Process.
SSP Litronic has prepared an application (ActivClean.exe) that will make the changes as outlined in the section above ("Manual Process"). It is provided as a convenience only and may not correct the issue with all versions of ACG.
1. In order to correct this issue, a few steps must be taken, which require administrative privileges, prior to installing NetSign CAC:
1. Uninstall NetSign CAC and any other previously installed CAC Middleware.
2. Copy the Activclean.exe file to your desktop.
3. Double-click the file Activclean.exe and reboot when requested.
2. Now install NetSign CAC as instructed. Contact your Administrator for additional details.
3. Note: SSP Litronic does not warrant that use of this application or procedure will correct defects caused by other third (3rd) party vendors or correct other system problems.
4. Contact your NetSign CAC account representative for additional information on this or any other sales/support related issue.
Keywords: Active, Activclean, Third Party CAC Middleware, Anomaly, Activ, ActivCard, ACG, 50123
Last Updated: May 24th, 2004 at 12:14 PM