Army Knowledge Online problems and cures are on a separate page.

APPROVE IT 

back to top

The ideas on this website are from my personal experience.  I have been told by Army Publishing Directorate (APD) to send Users to their help desk so they become aware of the problems with this program.  703-692-1306 / DSN:  312-222-1306, Webform, or apdfcmp@conus.army.mil 

If you are having problems accessing the CHESS website, contact the CHESS help desk at: peoeis.pdchess.helpdesk@us.army.mil or 888-232-4405 / 703-806-1019 / DSN: 312-656-1019 (Monday - Friday 0800-1700 EST).

Problem 1:  Approve It 5.8.2 keeps reinstalling every time you log onto the computer.

Cure 1-1:  Remove the Approve It from the startup menu (This version puts itself in this folder for some unknown reason).

Cure 2-2:  Uninstall ApproveIt 5.8.2, restart computer, Install ApproveIt 5.7.3.  Follow instructions below.  PLEASE NOTE:  ApproveIt 6.1 & 6.5 are the only versions that will work with Lotus Forms.

Problem 2:  "Component is missing or corrupt" message after installing ApproveIt and attempting to digitally sign a form

Cure 2-1:  Restart computer after installing Approve It (multiple restarts might be required).

Problem 3:  Receive "No host application was found on this computer.  Please install the host application before installing ApproveIt Desktop" when installing ApproveIt 6.5

Information:  According to the ApproveIt Desktop 6.5 installation guide, it requires at least one of the following host applications be installed: Microsoft Word, Microsoft Excel, Adobe Acrobat, Adobe Reader, Adobe Form Designer and Client, Adobe FormFlow Form Designer with Filler, PureEdge ICS Designer and Viewer, Lotus Forms Designer and Viewer, and Microsoft InfoPath.  HOWEVER, Adobe Reader (9.4 or below) seems to be the program it is looking for specifically

Cure 3-1:  You [more than likely] have Adobe Reader X (10) installed.  You need to Uninstall Adobe Reader, restart your computer, download (alternate download) and install Adobe Reader 9.3.  Once you have installed Adobe Reader 9.3, install ApproveIt.  Then when ApproveIt is installed [and you've verified you can sign a form], upgrade your Adobe Reader back to X (If you want). 

Problem 4:  "Unable to complete the signature; the private key cannot be found or is inaccessible on the system.  Make sure you are using a good signing key or the right smart card."

Cure 4-1:   Close Pure Edge or Lotus Forms, restart computer, try again

Cure 4-2:  Double check that you did install all software correctly.  You can use the notes page to verify.  Particularly ActivClient

Cure 4-3:  Visit:  MilitaryCAC forums for another possible solution.

Cure 4-4:  You might have old certificates on the computer.  Follow this guidance to clear them.

Problem 5:  "Unable to complete operation; an ApproveIt component (ApproveIt FrameworkResource.dll) is missing or corrupt"

Cure 5-1:  Restart the computer.  Could take 3-4 times.

Cure 5-2:  Verify installation of ApproveIt, you may need to uninstall, restart computer, then reinstall.

Problem 6:  Receive "ApproveIt - Error  [message not found]: [message not found] [message not found]," followed by "Unable to access Private Key", then "The signature could not be created because the private key of the certificate could not be accessed."

Information:  This error is caused by the virtualization setting of the masqform process.

Cure 6-1:

Step 1:  Open Lotus Forms Viewer (not a specific form).

Step 2:  Start task manager, here's how

Step 3:  Click the Processes (tab), Right click on masqform.exe and uncheck virtualization.

Step 4:  Try reopening your form now.

Government systems: Disabling virtualization completely may cure this problem as well.

Cure 6-2:  Uninstall Approve It, restart computer, Install ApproveIt 5.7.3  Follow instructions below.  PLEASE NOTE:  ApproveIt 6.1 & 6.5 are the only versions that will work with Lotus Forms.

Cure 6-3:  Your current profile could be corrupt.  Here's how to build a new profile:  If on a Government Computer, look below

Creating a new profile when you have Windows Vista or Windows 7:  

1. Click Add or remove user accounts under User Accounts (Vista), or User Accounts and Family Safety (7) in Control Panel

2. Click Create a new account under the big box

3. Type in the new username of the new account name box

4. Click Administrator, then Create Account

5. Logoff your current user account

6. Logon with the new username and try again

     Screen shot view of steps above via Bleepingcomputer.com

     Video of steps above via Dummies.com

Microsoft page for assistance after creating new profile

Creating a new profile when you have Windows XP: 

1. Double click User accounts in Control Panel

2. Select Create a new account

3. Type in the name of the new account, select next

4. Select Computer Administrator and Create Account

     Screen shot view of steps above via Dummies.com

Microsoft page for assistance after creating new profile

Since you made your new logon as an administrator, you should have no problem accessing your old files.

These are fixes for Government Computers.

1.  Logon as an administrator, go to Control Panel - User Accounts, Turn off UAC (this was tested on a Government owned Vista computer)

2. Latest instructions that can cure this problem

3.  Original instructions that can cure this problem

4.  ****MUST DO THIS STEP**** after renaming the old profile.

Run regedit and go to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and delete the SID key for the corrupt profile. Easiest way to find the correct SID is to search from the 'ProfileList' key for the directory mentioned in %USERPROFILE% in step #1.

 After you do this, make sure you rename the users' profile under C:\Users\<user name>\

Then have the user login to verify user can sign the document.

Problem 7:  You get prompted to enter a serial number when installing ApproveIt 5.7.3

Cure 7-1:  This means you attempted to install using the setup file from within the zipped file.  You need to extract the zip file, then run the setup from inside the new folder it just created.   Read installation Instructions below.

Problem 8:  You get prompted to enter a serial number when installing ApproveIt 5.9

Cure 8-1:  Use the file titled:  AGMInst.exe (It will be an icon that looks like a star) instead of the setup (bootstrap) file

Problem 9:  Approve It tab does not show up in Microsoft Word 2007 or Excel 2007. 

Cure for Word:  Look at this PDF

Cure for Excel:  Look at this PDF

Problem 9a:  ApproveIt tab does not show up in Microsoft Word 2010 or Excel 2010. 

Cure:  Uninstall ApproveIt and Office 2010, restart computer.  Install Office 2007, Install ApproveIt and test digital signature (you may need to follow instructions above in Problem 15).  Once it works, upgrade Office 2007 to 2010, the ApproveIt tab will remain and be "should be" usable.

Cure 2:  Wait for the Army to replace ApproveIt with e-Sign.  Read the 21 September 2011 press release.

Problem 10:  Receive ePersona message when trying to sign a form in Pure Edge or Lotus Forms with Approve It?

Cure 10-1:  Close PureEdge (if it is open).  Go to: C:\Program Files\ApproveIt\, double-click the icon that looks like a wrench titled: "AprvCfg.exe".  On the Signature Method tab, make sure the radio button is on the bottom choice - "Sign using a certificate or smart card."  Don't change anything else.  Click Apply, then OK

After you click "Sign" in PureEdge, it may take a few minutes for the list of certificates to pop up. Be patient. Choose the certificate that doesn't say Email, and put a check in the box that says "Use this certificate as default" (if this is your personal computer).

Problem 11:  Receive "The signature could not be created because the Private key of the certificate could not be accessed."

Cure 11-1:  Look here for the answer

Problem 12:  When attempting to install Approve It on a computer with Office 2007, receive error message "Microsoft Word has encountered a problem and needs to close.  We are sorry for the inconvenience."

Cure 12-1:  Look here for the answer

Problem 13:  Official Installation guide for ApproveIt 6.5   |   Installation guide for ApproveIt 6.1

Problem 14:  Receive: "chilkatlog:  unzippedfile: failed to read compressed data.  failed to find file marker" when attempting to install Approve It 6.1.

Cure 14-1:  Install Approve It 5.7.3.  Follow instructions below.  PLEASE NOTE:  ApproveIt 6.1 & 6.5 are the only versions that will work with Lotus Forms.

Problem 15:  Approve It tab does not show up in Microsoft Word 2010. 

Cure 15-1:  The current versions of ApproveIt 6.5 & 6.1 are not compatible with Office 2010

NOTE:  If you had it working in Office 2007, and upgraded to Office 2010, it may work for you.

Problem 16:  When attempting to open the ApproveIt configuration Manager [ApproveIt 6.1 government computer], you receive:  Runtime Error!  Program: C:\Program Files\ApproveIt\AprvCfg.exe  This application has requested the Runtime to terminate it in an unusual way.  Please contact the application's support team for more information.

Cure 16-1:  Navigate to:  C:\Program Files\ApproveIt\, Right click ApprvCfg.exe, select Properties, select the Compatibility (tab), check box "Run this program as an administrator."

Problem 17:  When clicking the login button trying to access CHESS [with your AKO Registered CAC] to download ApproveIt you are prompted for your certificate.  You select it and enter your PIN, it then states "you will be logged in shortly."  Within a few moments, you are returned to the login page, without being logged in.

Cure 17-1:  Follow guidance in this PDF, or watch this video

CAC / CAC READER

back to top

Problem 1:  The CAC reader driver did not automatically install correctly

Cure 1-1:  Go to Device Manager (Instructions are on the CACDrivers page), scroll down to Smart Card readers, right click the CAC reader that shows up below Smart Card Readers.  It may also show up under unknown devices.  Select Uninstall.  It will give you a message.  Once it is uninstalled, unplug the reader from your computer.  Wait a few moments, then plug it back in.  It "should start to install itself.  If that doesn't work, keep reading for other ideas below.

Cure 1-2:  Look at the CACDrivers page to see how to fix this problem.  Hopefully whichever CAC reader you purchased will work on your Vista or Windows 7 computer.

Cure 1-3:  If you are using an SCR-331 CAC Reader on Vista or Windows 7 (32 or 64 bit), and are still having problems getting the reader to be recognized by ActivClient, or your CAC reader shows up as STCII Smart Card Reader follow these instructions for updating the firmware on the reader.   

Problem 2:  Receive quick beep whenever you boot up your computer with the CAC reader plugged in, or when plugging in your CAC reader.

Cure 2-1:  Change the following registry key to 0 from 1  by going to Start, Run, type in "Regedit" (without the quotes) and navigate to:  HKEY_LOCAL_MACHINE\Software\ActivCard\ActiveClient\Notification\NoReaderWarning\Enable

Problem 3:  Card does not read consistently

Cure 3-1:  Try cleaning the gold portion of the CAC with a clean pencil eraser. 

Cure 3-2:  Your card could be wearing out.  It may be time to get a new one.  Click here to find an ID card office.

Cure 3-3:  Your reader may be showing signs of wear.  Click here to find a new one.

Problem 4:  CAC reader is seen in Device Manager in Windows but not by ACTIVCLIENT software:

Information:  Windows runs the Smart Card service as a local service and without it, smart cards will not work. Another symptom of this is when the Card Icon does not show on the logon screen (Government computer).

Cure 4-1: Make sure the ActivIdentity Shared Store Service is started.  Here's how:  Click Start, type in:  services.msc in the search box, double click on:  ActivIdentity Shared Store Service.  Make sure the Startup type is set to Automatic and if not started, select Start.

Cure 4-2:  Run this file to fix your Smart Card service.  If you have problems with the other file, try this one.

Cure 4-3: Log on as the local administrator.  Go to Start, Run, type in: services.msc, Verify that both ActivClient middleware and SmartCard services are stopped.

From the Run line:  type: Regedit

Navigate to "HKLM\Software\Microsoft\Cryptography\Calais (select Calais with the mouse cursor) Right click on it choose "Permissions".

Verify if "LOCAL SERVICE" exists, if not click "ADD"

In the search box type in your computer name\local Service

Click Check Names, then OK.

Select Local Service -> Click Advanced -> in the Permissions tab select LOCAL SERVICE -> and click Edit.

Mark the following with Allow:

Query Value

Set Value

Create Subkey

Enumerate Subkeys

Notify

Delete

Read Control

Open Services.msc again, Start smart Card Service,  Start ActivClient middleware Service.

CAC Card should now be working.

Cure 4-4:  Follow these instructions for modifying your registry to make the Smart Card service start.

Problem 5:  How can I use 2 CAC readers on my computer with ActivClient?

Cure 5-1:  Once the second CAC reader is physically functioning:  Double click the ActivClient icon (down by your clock), select File, Use Reader, Select the other reader.  Go to Tools, Advanced, Make Certificates Available to Windows.  You should be able utilize either CAC on your computer now.   I personally use this on my office computer to assist with DTS, digitally signing forms, and helping Soldiers with AKO password resets. 

**  Here is a presentation showing how to do this.

Problem 5a:  How can I use 2 CAC readers on  my Windows 7 computer without ActivClient?

Cure 5a-1:  Plug it in and use it

Problem 6:  How do I get the message to stop coming up that says my CAC reader isn't plugged in?  I get a notice every time I start my computer that my reader isn't installed.  I own a laptop and don't plug in the reader unless I need it. 

Cure 6-1:  Go to Start, All Programs, ActivIdentity, and click on Advanced Configuration Manager.  Select Notifications Management.  Double click Display No Smart Card Reader Alert, it will automatically change from a YES to a NO.  ** Here are Visual steps showing you how to do this.

Problem 7:  Receive "An internal error has been encountered (the specified smart card is no more available for use)" when trying to access CAC using ActivClient 6.1 on computers with built in CAC reader and trying to use an external at the same time.

Cure 7-1:  Upgrade to ActivClient 6.2

Cure 7-2: The built in reader is taking priority over the external.  Unplug the external and try the internal reader.  On some computers (Gateway), the CAC has to go in upside down. 

DTS

back to top

Problem 1:  Can I use DTS with my Mac or Linux computer?

Cure 1-1:  Yes you can.  The current version of DBSign called DBSign Universal Web Signer is available when accessing the DTS website and will allow all computer platforms to use it.    NOTE:  Look at #2 below and here for troubleshooting tips.

NOTE specifically for Mac users:  You will get a blank page when trying to navigate to your Authorizations or Vouchers until you do the following:  Click the word Safari, uncheck Block Pop-Up windows

Problem 2:  When accessing DTS for the first time, you 'may' be told to install JRE 1.5.

Cure 2-1:  Windows users can download JRE from:  http://download.cnet.com/Java-Runtime-Environment-JRE/3000-2213_4-10009607.html  

NOTE for Windows users:  One person informed me that he was able to uninstall JRE after installing the DBSign on his Windows computer, and DTS still worked.  He was having problems where another window would pop up and state that it was Done, never actually letting him into DTS.

NOTE for Mac users:  When you first get to the page telling you that you need Java, don't be tempted to click the link.  Just let it sit there and it will install it automatically. 

Problem 3:  Unable to access DTS (Error message "There has been a problem with Login.  Problem getting security information from your computer.  Please contact your DTS site administrator for assistance."), or DTS stalls at DBsign: logging into cryptographic libraries....

Cure 3-1: Follow the guidance in this PDF

Cure 3-2:  In Internet Explorer:  Go to Tools, Internet Options, Security (tab), Click on Trusted Sites (green checkmark), Click Sites (button), in the Add this website to the zone:   type in "*.osd.mil" after unchecking "Require Server Verification", click add (button), select close, then click OK

Cure 3-3:  Go to:  Tools, Internet Options, Security (tab), single click on Internet (globe).  Uncheck the box for Enable Protected Mode (down near Custom level...) button. 

Cure 3-4:  Uninstall Internet Explorer 9 to go back to Internet Explorer 8

Problem 4:  DTS screen flashes up, then disappears after you hit login.

Cure 4-1:  Check your pop-up blocker(s), they are more than likely "killing" the page that is attempting to pop up.  DTS loves pop ups. :)

Problem 5:  DTS will not allow you to get past the logon screen in Vista or Windows 7 (64 bit).

Cure 5-1:  Make sure you are using the (32 bit) Internet Explorer.  If you don't see it in your list of programs, navigate to:  C:\Program Files (x86)\Internet Explorer\  double click on iexplore.exe (it will be approximately 622KB in size).  You can also copy / create a shortcut for this program to your desktop.

Problem 6:  DTS error:  "Your user account could not be found or is locked, or your certificate has been revoked.  Please contact your local Registration Authority (LRA) or Verifying Official (VO) to obtain a new PKI certificate or to find additional information."

Cure 6-1:  Your account is more than likely "in between" your old and your new unit (which means you are not attached to either of them).  Contact your current unit's DTS person and have them "Receive" you.

Problem 7:  When attempting to access DTS with Internet Explorer 9 installed, you receive a message that IE has closed the tab.  Basically, you can't logon to DTS.

Cure 7-1:  Uninstall IE9 and go back to IE8  Here's How  Don't forget to hide the update:  Vista, Windows 7, or XP  (video)

ERROR CODES (BY THE NUMBER)

Error Codes (Specific Numbers) problems and cures are located on their own page.

FIREFOX

Firefox problems and cures are located on their own page.

FORMS (formerly known as MyForms)

back to top

Problem 1:  Why do my Forms use check marks instead of the correct X's on some OER or NCOERs and generate an error message.
 
Cure 1-1:  To fix / change this, go to: the Start button, Programs, IBM Lotus Forms, Lotus Forms Viewer (or just open up any form you have, (sample form)).  With the Viewer open Click File, Preference, Advanced settings and select the Use "X" style check boxes, click apply, and then OK.

Problem 2:  Cannot upload forms to Forms while using Vista or Windows 7

NOTE:  The cure for this problem is from the Army Publishing Directorate (APD) (This means I have not had any success with it, but it 'might' work for you).

Information:  Make sure you have the current Lotus version and not the earlier AGM version.  You can verify this by going to C:\Programs Files\IBM\Lotus Forms\Viewer\3.5\   Right click on masqform, click properties, click the Details tab to verify the version. File version should end in .123. 

NOTE:  64 bit Windows will select Program Files (x86) instead of Program Files

If you have the older version, look at the Lotus Forms page to download the newer version.

If yours is the correct version, please try the ideas below:  

Cure 2-1:  In Internet Explorer, Go to tools, Internet options, Security (tab)

-Click on trusted sites and change the default level to low.

-Add *.army.mil to the trusted sites.

-Click Apply.

-Click on the Privacy Icon and change the default level to low.

-Click on the Internet Icon and change the default level to medium.

-Click Apply

Clear the cache by doing the following in Internet Explorer:

-Click on Tools, Internet Options, on the General (tab).  Click the Delete... (button) under the Browsing history section.  Verify the Temporary Internet Files, and Cookies are checked.  Click the Delete button. 

-Log out of AKO and close all your Internet Explorer windows.

-Open Internet Explorer and log back into AKO.

-Please try to upload the form again

***Note: APD recommends that you return to your previous IE settings after conducting your business on My Forms. The cause of having to do the above steps is in result to your OS build being a deviation to the official AGM standard build.***

Cure 2-2:  Uncheck the SSL2.0 setting under Internet Options, Advanced (tab)

Cure 2-3:  Open Internet Explorer, Tools, Internet Options, Advanced Tab, Under security scroll to Allow Active Content from CD to run on My computer and uncheck it. Close all internet windows and log in again and attempt to save.

Cure 2-4:   Open Internet Explorer, Tools, Internet Options, Advanced Tab, Under security scroll to Allow Active Content to run in files on My computer and uncheck it. Close all internet windows and log in again and attempt to save.

Problem 3:  Unable to save forms back to Forms repository.

Cure 3-1: Follow these instructions

Problem 4:  When I try to route forms through the FCMP one of two things happen: 1. All buttons are grayed out except for 'manage favs' so I can't route.   2.  I can form a route slip and search for routed user, but when I click the check box next to the individual I'm routing to nothing happens when I click add as original/add to email (the name will not pop up above the comments box to check).  

Cure 4-1:  Switch into compatibility mode by opening Internet Explorer, click Tools--> Compatibility View. Close and re-open the Forms Portal

NOTE:  This may have to be done anytime you open up FCMP in any new windows.

INTERNET EXPLORER

back to top

Problem 1:  Receive: "There is a problem with this website security certificate."  Your options are listed as  "Click here to close this webpage" or "Continue to this website" where it states it is not recommended.

Cure 1-1:  Latest DoD Certificates are needed, I have instructions where you can download and install them here

Problem 2:  Internet Explorer browser closes (crashes) when attempting to register your CAC on AKO -or- receive "The server akocac.us.army.mil at cac-reg requires a username and password."

Cure 2-1:  (Vista specific, may work with IE 6, (does work with IE 8))  Go to Tools, Internet Options, Content, Certificates, Personal, Advanced, check the box that says "Client Authentication." 

NOTE:  A restart of Internet Explorer is required to allow this change to take place.  You don't have to restart the computer, just Internet Explorer.

Cure 2-2:  Go to:  Tools, Internet Options, Security tab, click on the Internet Security option.  Uncheck the box for Enable Protected Mode. 

Cure 2-3:  Close browser, reopen it, clear your cache and temporary internet files.  Close browser, restart, try again.

Problem 3:  Can not save file in Internet Explorer while using Forms

Cure 3-1: Follow these instructions

Problem 4:  Receive the message: "You do not have Permission to Access this resource."

Cure 4-1:  Verify that you do have all needed software installed, Visit the Notes page to double check what you installed already.

Cure 4-2:  Verify that you are using Internet Explorer when attempting to register your CAC.  If you are using Firefox, please look at the Firefox page for the needed CAC reader configuration.

Cure 4-3:  If you receive this message when trying to download ActivClient from AKO, you need to know that the ActivClient download links on AKO are for Army personnel only.  If your account is listed as an Army volunteer, Guest, family member, retired, or other military branch, you  will not be able to download the file from AKO.  Other military branches look here to find where you can download ActivClient.

Cure 4-4:  Go to: https://www.us.army.mil from this link.  There could be a problem with the shortcut in your favorites.  Simply re add AKO to your favorites replacing your existing favorite.

Cure 4-5:  Follow guidance in this PDF, or watch this video

Problem 5:  CAC works to sign forms, but cannot access CAC enabled websites.

Cure 5-1:  Use Internet Explorer for any websites that need to use your CAC (IF using Firefox).

Cure 5-2:  Follow guidance in this PDF, or watch this video

Cure 5-3:  If you insist on using Firefox, follow this guidance.

Problem 6:  If you can access some websites with your CAC, but some don't work (e.g. AKO, the USMC MCNOSC site or the OWA for NMCI site)

Cure 6-1:  Click Tools, Internet Options, Advanced (tab).  Scroll to the bottom.  Make sure SSL 3.0 & TLS 1.0 are both checked, and SSL 2.0 NOT checked.  In Windows 7 also make sure TLS 1.1 & 1.2 are unchecked.

Cure 6-2:  Follow guidance in this PDF, or watch this video

Problem 7:  Are you having problems accessing ATAAPS (Automated Time Attendance and Production System)?

Information:  Bob Ridenour at Fort Gordon has figured this out:  "If you have the Common Policy certificate installed it prevents access to ATAAPS.  More specifically, it affects all CACs if your CAC has cert #25 or later.  It doesn't affect older CACs, but of course as they expire and get replaced, the user will face this issue."

More Information:  He seems to have gotten rid of the problem locally, but has received emails from individuals outside of his organization who have the Common Policy cert installed.  When someone receives an email from one of these individuals you get a message (see screen shot below) that asks if you want to install the policy.  If you answer 'no' it's not a problem, but most users have a tendency to answer 'yes' even if they've been instructed otherwise, which starts the infection process all over again.  If the user chooses 'yes' it installs the cert, then when they send an email the recipient gets the common policy popup, etc. etc.

...

Cure 7-1:  Open Internet Explorer, Click: Tools, Internet Options, Content (tab), Certificates (button), Intermediate Certification Authorities (tab), look down the Issued To column for:  Common Policy, select it and then click the Remove (button).  You will have to confirm that you do want to delete the certificate, select Yes

This image is what people clicked on and installed the Common Policy.  Select NO when you see it next time.

LOTUS FORMS

back to top

The ideas on this website are from my personal experience.  I have been told by Army Publishing Directorate (APD) to send users to their help desk so they become aware of the problems with this program.  703-692-1306 / DSN:  312-222-1306, Webform, or apdfcmp@conus.army.mil 

If you are having problems accessing the CHESS website, contact the CHESS help desk at: peoeis.pdchess.helpdesk@us.army.mil or 888-232-4405 / 703-806-1019 / DSN: 312-656-1019 (Monday - Friday 0800-1700 EST).

Problem 1:  Receive "Error loading  C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll" when attempting to install Lotus Forms.

Cure 1-1:  Uninstall PureEdge Viewer (via Control Panel), Restart computer, then attempt Lotus Forms install again

Problem 2:  Word Sign is gray after installing Lotus Notes

Cure 2-1:  If you upgraded from Pure Edge Viewer and did not uninstall ApproveIt, Uninstall ApproveIt, restart computer, then install ApproveIt again.  ApproveIt HAS to be installed AFTER all programs that you want to be able to digitally sign.  These programs include: Office products, PureEdge, Lotus Forms, & Adobe Reader.

Cure 2-2:  32 bit systems:  Copy and paste libeay32.dll from C:\Program Files\ApproveIt to the following folders: 

C:\Program Files\IBM\Lotus Forms\Viewer\3.5\extensions 

and to: 

C:\Program Files\IBM\Lotus Forms\Viewer\3.5\API\76\System  

Cure 2-2a: 64 bit systems:  Copy and paste libeay32.dll from C:\Program Files(x86)\ApproveIt to the following folders: 

C:\Program Files(x86)\IBM\Lotus Forms\Viewer\3.5\extensions 

and to: 

C:\Program Files(x86)\IBM\Lotus Forms\Viewer\3.5\API\76\System  

Problem 3:  "One or more signatures could not be verified" when opening up Lotus Forms

Cure 3-1:  Latest DoD Certificates are needed

Cure 3-2:  Verify you have ApproveIt installed

Cure 3-3:  Restart your computer (if you have just installed ApproveIt)

Cure 3-4:  32 bit systems:  Copy and paste libeay32.dll from C:\Program Files\ApproveIt to the following folders: 

C:\Program Files\IBM\Lotus Forms\Viewer\3.5\extensions 

and to: 

C:\Program Files\IBM\Lotus Forms\Viewer\3.5\API\76\System  

Cure 3-4a: 64 bit systems:  Copy and paste libeay32.dll from C:\Program Files(x86)\ApproveIt to the following folders: 

C:\Program Files(x86)\IBM\Lotus Forms\Viewer\3.5\extensions 

and to: 

C:\Program Files(x86)\IBM\Lotus Forms\Viewer\3.5\API\76\System  

Problem 4:  Receive error message:   "Viewer : Printer Driver's EndPage() Failed at PRINT ERROR(.\src\FormViewer\PrintEngine\CPrintEngine.cpp:1960 Fri Jan 29 15:27:50 2010):2780:8)"

Information:  You are unable to print Lotus forms on HP printers when using the 64 bit version of Vista & Windows 7.  This is a known problem that exists between IBM and HP, therefore it is "way above our heads" to get fixed.

Cure 4-1:  I have figured out a cure for you... Download a program like DoPDF.  DoPDF is a virtual printer so, you will print your form to a PDF, then print the PDF to your HP printer.

Cure 4-2:  Open Lotus forms, Select: File, Preference, Print Options, Uncheck "Print each page as a separate print job"

The below error and cure was copied from the IBM Support Portal

Problem 5:  Why do the following errors occur when you open the Lotus® Forms Viewer?

20080109T154705.078-0600 3972 MEVRegisterErrorEx: \Anthill_Build\Branch-API-Cannae-20050228\Api\src\masqutil\masqutil.c 10427 2079 118 22

20080109T154705.078-0600 3972 Viewer ReportAppMsg Title:"(null)" Msg:" at MUCreateDir(\Anthill_Build\Branch-API-Cannae-20050228\Api\src\masqutil\masqutil.c:10427 Tue Apr 19 21:59:46 2005):3972:32 -> 22" TitleCode:7020 MsgCode:0

20080109T154706.515-0600 3972 MEVRegisterErrorEx: \Anthill_Build\Branch-API-Cannae-20050228\Api\src\masqutil\masqutil.c 10508 2080 118 4294967295

20080109T154706.515-0600 3972 Viewer ReportAppMsg Title:"(null)" Msg:" at MUCreateAllDirs(\Anthill_Build\Branch-API-Cannae-20050228\Api\src\masqutil\masqutil.c:10508 Tue Apr 19 21:59:46 2005):3972:32 -> -1" TitleCode:7020 MsgCode:0

MAC / APPLE SPECIFIC ISSUES

back to top

DTS:  Page goes white after selecting Voucher or Authorization in DTS. 

DTS Answer:  In Safari, select Safari, Uncheck Block Pop-Up Windows.  You can also go to Safari, Preferences, Security, and uncheck Block pop-up windows under the Web content section.

Lion (10.7.x) users can read more issues and cures on the Lion specific page.

Snow Leopard (10.6.x) users can read more issues and cures on the Snow Leopard specific page.

Leopard (10.5.8) users can read more issues and cures on the Leopard specific page.

Tiger (10.4.11) users can read more issues and cures on the Tiger specific page.

OUTLOOK / MICROSOFT OFFICE / OWA

back to top

Problem 1:  After installing ActivClient and ApproveIt, Outlook users are unable to send email without selecting a certificate.

Cure 1-1:  Outlook 2010:  Open Outlook, Click File, Options, Trust Center, Trust Center settings (button), E-mail Security, Uncheck the top 4 boxes

                   Outlook 2007:  Open Outlook, Click Tools, Trust Center, E-mail Security, Uncheck the top 4 boxes 

                   Outlook 2003:  Open Outlook, click Tools, Options, Security tab, Uncheck the top 4 boxes

Problem 2:  Receive ADTMSO.dll message after installing all needed software on Vista Premium.

Cure 2-1:  Purchase Vista Ultimate and upgrade your Premium (I know this seems like an expensive option, but it did work for a Soldier in New York).

Problem 3:  After installing ActivClient and opening Outlook, Receive error message:  "An extension file failed to initialize.  Can't open the file: extend.dat" 

You need to first be able to view hidden files (here's how): 

- XP:   Double click My Computer, once open, click on Tools (in the bar at the top), Folder Options, View tab, scroll down to Hidden files and folders, click the little circle next to Show hidden files and folders.

- Vista & 7:  Control Panel (classic view), select Folder Options, click the View tab, scroll down to Hidden files and folders, click the little circle next to Show hidden files and folders.

- Vista & 7: Control Panel (Control Panel Home), select Additional Options, Appearance and Personalization, Folder Options, click the View tab, scroll down to Hidden files and folders, click the little circle next to Show hidden files and folders.

Cure 3-1: Make sure Outlook is closed, rename extend.dat to extend.bak, restart Outlook

- XP users, go to:  C:\Documents and Settings\<userid>\Local Settings\Application Data\Microsoft\Outlook

- Vista & 7 users, go to: C:\users\<userid>\AppData\Local\Microsoft\Outlook

Problem 4: When using your Organization's OWA 2003 (Outlook Web Access) from home you cannot see the email in your inbox.

Cure 4-1:  Go to Options, scroll down to Email Security, click on Download to download the S/MIME control

Cure 4-2: Make sure you are not automatically downloading your email at your office to your local hard drive.  When you do this it removes the email from the server, therefore you cannot see it via OWA.

Problem 5:  Can't view Encrypted emails in Outlook Web Access / App

Cure 5-1:  You have to have already published your certs to the GAL from Outlook.

Cure 5-2 (OWA 2003):  Go to Options, scroll down to Email Security, click on Download to download the S/MIME control.  You also need to have ActivClient installed on your computer.  Unless you are using the Windows 7 Smart Card service with your PIV II CAC, then you won't need ActivClient.

Cure 5-3 (OWA 2010): Click Options, See All options..., Settings, S/MIME, click on Install the S/MIME control

Problem 6:  How do I access my encrypted email from my old CAC once I receive a new one?

Cure 6-1:  Visit:  https://ara-1.c3pki.chamb.disa.mil/ara/Key  or  https://ara-2.c3pki.den.disa.mil/ara/Key  You will need to logon to the server with your current CAC (this authenticates you as you).   Follow along with this PDF explaining how to complete this process.

Problem 7: ActivClient is prompting for a smart card (5 times) when opening Windows Mail

Cure 7-1:  Open ActivClient, go to Tools, Advanced, Configuration and change "Remove certificates from Windows on Smart Card removal" from "No" to "Yes."

Cure 7-2: This can also happen when trying to use the Native Windows 7 smart card program.  Using ActivClient will not cause this problem (other than Cure 7 immediately above).

Problem 8:  Now that I have received a new CAC, how do I encrypt emails again in Outlook?  (Government computers only)

Cure 8-1:  You need to publish your new CAC certificates to the Global Address List (GAL), here's how:

                     Outlook 2007:  Tools, Trust Center..., E-mail Security, Click on Publish to GAL...(button)

                     Outlook 2003:  Tools, Options, Security (tab), Publish to GAL... (button)

                     Outlook 2010:  File (tab), Options, Trust Center, Trust Center Settings...(button), E-mail Security, Click on Publish to GAL...(button)

Problem 9:  Receive error message "You do not have a valid certificate to encrypt to the following recipients...."

Cause: It is necessary to have a copy of the recipient’s public key to encrypt email messages.

Cure / Solution 9-1: 1) Have recipient send you a digitally signed email. Right click on their name in the from line and add them to your contacts. Click Save - Close. To send an encrypted email click on New - Mail Message. Create your message. Click To, and in the Select Names window drop-down list, click Contacts. Select the recipient’s email address from Contacts. On the message toolbar, Click Options - Security Settings, and select Encrypt message contents and attachments check box. Click OK - Close. Click Send.

2) Look up the recipient at https://dod411.gds.disa.mil and download their public key to your computer. Create a contact in your contacts list for them and add the certificate to it. Follow the steps above to send encrypted email.

Problem 10:  Is there a way to adjust the size of the digital signature when signing in Word 2003 or 2007 using your CAC?   We are able to digitally sign, but the signature is so large it won't fit within the borders of a standard size memo.

Cure 10-1:  Yes, look at this Word document

Problem 11:  Receiving the following error message when trying to use OWA on Windows 7 (64bit) & (32bit):  "A digital ID that allows you to sign this message is missing."

Cure 11-1:  Add your OWA link to your Trusted Sites (this is needed for ALL Internet Explorer 9 users)

Here's How:  Open Internet Explorer, Go to Tools, Internet Options, Security (tab), Trusted Sites (green checkmark), Sites (button), Type your entire OWA web address into the Add this website to the zone (box)  Example:  https://owa.usar.army.mil  Other OWA site links can be found on the OWA page.

Cure 11-2:  Install the S/MIME from the options section in your OWA client (see #5 above).  If you have problems installing the S/MIME check to make sure that "Do not save encrypted pages to disk" is unchecked under Tools, Advanced (tab). 

Problem 12:  You want to be able to Digitally Sign or Encrypt emails from Outlook when using AKO via IMAP, but you can't find where to add the buttons.

Cure 12-1:  When composing a new email, click on the Options tab and you will see Encrypt and Sign

Problem 13:  Users are having long load times when receiving digitally signed or encrypted emails.

Cure 13-1:  Follow guidance in this guide and this PDF

Problem 14:  Receive message: "This message can't be decrypted.  If you have a smart card-based digital ID, insert the card and try to open the message again" when using Outlook Web Access (OWA)

Cure 14-1:  Make sure the email address that is listed on your CAC is also in your Exchange profile.  NOTE:  This is why Army users have AKO email address on our CACs, and that our AKO email address is also listed as an alias in our Exchange profile. 

Problem 15:  ApproveIt tab does not show up in Microsoft Word 2007 or Excel 2007.  

Cure for Word:  Look at this PDF

Cure for Excel:  Look at this PDF

Problem 15a:  ApproveIt tab does not show up in Microsoft Word 2010 or Excel 2010. 

Cure:  Uninstall ApproveIt and Office 2010, restart computer.  Install Office 2007, Install ApproveIt and test digital signature (you may need to follow instructions above in Problem 15).  Once it works, upgrade Office 2007 to 2010, the ApproveIt tab will remain and be "should be" usable.

Cure 2:  Wait for the Army to replace ApproveIt with e-Sign.  Read the 21 September 2011 press release.

Problem 16:  Receive "HTTP/1.1 503 Service Unavailable" when attempting to access your email via OWA.

Information:  This is caused when the Exchange server is down, or having problems.

Cure 16-1:  Try accessing your email at a later time

Problem 17:  Receive:  "Cannot connect to Internet Directory Service (LDAP) server: directory.us.army.mil.  Check your network connection or modify your Address Book settings."  Followed by "The search cannot be completed.  MAPI_E_CALL_FAILED" after setting up the AKO LDAP address book.

Cure 17-1:  Latest DoD Certificates are needed

Cure 17-2:  If you have changed your AKO password recently, you need to change it in your LDAP connector as well.

Problem 18:  You are on one of the many RW#.army.mil  OWA email servers and are having problems connecting to your email.

Cure 18-1:  Follow the guidance in this PDF to make sure your web browser is configured correctly.

Cure 18-2:  Call the help desk at:  1.800.305.3036

Cure 18-3:  You may have been migrated to Enterprise Email, follow links on the OWA specific page.

Problem 19:  Air Force Users Only:  Everything appears to be setup correctly, but Outlook Web Access (OWA) STILL prompts that the digital ID is missing when attempting to send signed/encrypted.  Also, the user cannot read signed / encrypted messages. 

Cure 19-1:  According to Air Force Public Key Infrastructure (AF PKI), the email address found on the certificate must be also listed as a proxy SMTP address for the end user.  With the advent of Email for Life (E4L), the e-mail address listed on the certificate is the E4L address.  This e-mail address may not necessarily be listed on the user account.

(Background:  With E4L, many Air Force users have a lifetime email address, @us.af.mil, and a regular e-mail address, @base.af.mil)  This @us.af.mil exists at another location, and then forwards to the appropriate @base.af.mil address.  This works decently well.  However, in the case of signing messages with OWA S/MIME, that E4L address needs to be listed on the user's base account, or they won't be able to sign / encrypt email in their client.

According to AFPKI: 

"Important Note: Suppression of Name Checking does not work with OWA S/MIME.  In order for a user to send signed e-mail or receive encrypted e-mail, the e-mail address on their e-mail certificates must match either their primary network Simple Mail Transfer Protocol (SMTP) e-mail address or one of the proxy SMTP addresses for their e-mail account.  Use of the proxy address is controlled through the OWA S/MIME Security Setting “CertMatchingDoNotUseProxies”, which by default allows the use of proxy addresses.  The AF PKI SPO recommends the default for all of the OWA S/MIME Security Settings.  Detailed descriptions of the available security settings can be found in Microsoft’s Exchange Server 2003 Message Security Guide available at: http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exmessec.mspx

In order to correct a case of e-mail mismatch, the Exchange administrator can add the e-mail address in the user's certificate to the list of user e-mail addresses, or a user can obtain new e-mail certificates either by returning to a DEERS / RAPIDS ID card issuance facility or accessing a User Maintenance Portal / Post-Issuance Portal (UMP/PIP) via their workstation.

UMP/PIP website:  https://www.dmdc.osd.mil/appj/ump/umphome.do, select Replace Certificate to avoid going to a RAPIDS Site. 

NOTE: You'll have to logon to the UMP/PIP site with your CAC.  Visual steps 

NOTE2:  In my tests with Windows 7, it did NOT work with the Windows 7 built in Smart Card utility or with ActivClient installed.  So, you will need to find a Windows Vista or XP computer with ActivClient installed.

Source:  https://afpki.lackland.af.mil/html/kbdetail.cfm?id=343 (CAC enabled from .mil domain)

NOTE:  An Air Force Major sent this to me:  "When I tried to access the CAC User Maintenance Portal on a Windows 7 computer, the Java failed; however, when I tried the same thing on my Windows 7 computer at work (.mil domain), Java still failed but I got a popup dialog that told me I had to use the 64-bit version of IE and Java.  When I started a browser session with the 64-bit IE, I was able to get to the User Maintenance Portal just fine."

Problem 20:  My email address is incorrect on my CAC, How can I fix it?

Cure 20-1:  Visit this website:  https://www.dmdc.osd.mil/appj/ump/umphome.do, select Replace Certificate to avoid going to a RAPIDS Site. 

NOTE: You have to logon to the site with your CAC.  Visual steps 

NOTE2:  In my tests with Windows 7, it did NOT work with the Windows 7 built in Smart Card utility or with ActivClient installed.  So, you will need to find a Windows Vista or XP computer with ActivClient installed.

An Air Force Major sent this to me:  "When I tried to access the CAC User Maintenance Portal on a Windows 7 computer, the Java failed; however, when I tried the same thing on my Windows 7 computer at work (.mil domain), Java still failed but I got a popup dialog that told me I had to use the 64-bit version of IE and Java.  When I started a browser session with the 64-bit IE, I was able to get to the User Maintenance Portal just fine."

Cure 20-2:  You can also visit an ID card office

Problem 21:  Problems with mail.mil when using 64 bit AGM and 32 bit office 2007

Cure 21-1:  Follow guidance in this PDF.

Problem 22:  Receive following error message when attempting to access https://web.mail.mil

Cure 22-1:  Your Enterprise Email account is not yet created.  Check back with your organization to find out the approximate date it will be created.  It can take up to a month.  There is a reason why they call it "Fail.mil."  (This is a JOKE)  :)

Problem 23:  How do I contact the Army Enterprise Email Help desk for assistance with my Mail.mil account?

Cure 23-1:  You can call: 800-447-2457, 614-692-3136, DSN: 312-850-3136  or Email:  NCES@csd.disa.mil

Problem 24: OWA 2010 users, are you not liking the conversation view?

Cure 24-1:  Visit either of these 2 links to see how to change it:  http://kb.iu.edu/data/azwv.html, alternate link:  http://oit2.utk.edu/helpdesk/kb/entry/1669/

PURE EDGE VIEWER (replaced by LOTUS FORMS)

back to top

The ideas on this website are from my personal experience.  I have been told by Army Publishing Directorate (APD) to send users to their help desk so they become aware of the problems with this program.  703-692-1306 / DSN:  312-222-1306, Webform, or apdfcmp@conus.army.mil 

If you are having problems accessing the CHESS website, contact the CHESS help desk at: peoeis.pdchess.helpdesk@us.army.mil or 888-232-4405 / 703-806-1019 / DSN: 312-656-1019 (Monday - Friday 0800-1700 EST).

Problem 1:  The word Sign is "GRAYED OUT" when attempting to digitally sign a Pure Edge form.

Cure 1-1:  See answers in THE WORD SIGN IS GRAY section below.

Problem 2:  "One or more signatures could not be verified" when opening Pure Edge

Cure 2-1:  Verify you have ApproveIt installed.

Cure 2-2:  Restart your computer (if you have just installed ApproveIt)

Cure 2-3:  Copy and paste libeay32.dll from C:\Program Files\ApproveIt to the following folders: 

C:\Program Files\PureEdge\Viewer6.5\extensions 

and to: 

C:\Program Files\PureEdge\Viewer6.5\API\65\System   PDF with complete instructions

Cure 2-4:  Latest DoD Certificates are needed

Cure 2-5:  Uninstall ApproveIt 5.8.2, 5.9, or 6.1,  restart computer, Install ApproveIt 5.7.3.  Follow instructions below. 

Problem 3:  Digital Signature not loading

Cure 3-1:  Visit here

Cure 3-2:  Uninstall ApproveIt 5.8.2, 5.9, or 6.1,  restart computer, Install ApproveIt 5.7.3.  Follow instructions below. 

PLEASE NOTE:  ApproveIt 6.1 & 6.5 are the only versions that will work with Lotus Forms.

Problem 4:  Receiving internal error when opening Pure Edge.  Details show "Null pointer dereferenced (in function RegistryIterator::updateCurrent()@.\src\RegistryProfile.cpp:line531)  Stack trace (unavailable)

Cure 4-1:  Run this batch file to fix your computer.  If IE blocked the file, download this text file and remove the .txt at the end, then run.

Cure 4-2:  The following steps need to be completed while the affected user is logged in.  Since they are merely modifying the keys corresponding with their user hive, elevated privileges are not necessary.

1. Go to Start, Run, type in:  Regedit

2. Find [HKEY_CURRENT_USER\Software\VB and VBA Program Settings\ApproveIt MS Office] and delete the key.

3. Find [HKEY_CURRENT_USER\Software\classes\ApproveItDesignerAddIn] and delete the key.

4. Find [HKEY_CURRENT_USER\Software\classes\CLSID\{97A21885-E335-4164-AD1C-8A3BF0F003E9}] and delete the key.

5. Find [HKEY_CURRENT_USER\Software\classes\CLSID\{08E623D3-BEAD-4bd3-8401-EFF51FD754CE}] and delete the key.

6. Click Start - Programs - ApproveIT Desktop - ApproveIT Configuration.

7. On the default Signature Method tab ensure the option "Sign using a certificate or smart card" is checked.

8. Click OK and test.

Cure 4-3:  Copy and paste libeay32.dll from C:\Program Files\ApproveIt to the following folders:  C:\Program Files\PureEdge\Viewer6.5\extensions  and to:  C:\Program Files\PureEdge\Viewer6.5\API\65\System   PDF with complete instructions

Cure 4-4:  Go to Start, Run

Type "regedit" (without the quotations)

Navigate to "HKEY_CURRENT_USER\Software\Silanis and delete it

Navigate to "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\ApproveIt MS Office" and delete it

Go to Start, All Programs, Startup, ApproveIt StartUp and click the ApproveIt Start up entry to start ApproveIt

Problem 5:  "Pure Edge Viewer has encountered a problem and needs to close.  We are sorry for the inconvenience."

Cure 5-1:  Copy "libeay32.dll" from the following location:  "C:\Program Files\ApproveIt"

Paste the files into both of the following locations:  "C:\Program Files\PureEdge\Viewer 6.5\API\65\System" and "C:\Program Files\PureEdge\Viewer 6.5\extensions" 

Reason:  These files can get written over by some Microsoft Updates.  Pure Edge cannot use the newer files that were installed by Microsoft.

Problem 6: Receive the following error "Form API initialization Failed"

Cure 6-1:  Reinstall Pure Edge

Cure 6-2: 

1.  Insure you close all errors that appear when launching a PureEdge form

2.  Go to:  C:\windows\system32 and double click 'fixmapi.exe'

NOTE:  This file will not show anything, give it approximately 5-10 seconds to insure it completed

3. Attempt to open the PureEdge form again

Problem 7:  Receive ePersona message when trying to sign a form in Pure Edge with Approve It.

Cure 7-1:  Close PureEdge (if it is open).  Go to: C:\Program Files\ApproveIt\, double-click the icon that looks like a wrench titled: "AprvCfg.exe".  On the Signature Method tab, make sure the radio button is on the bottom choice - "Sign using a certificate or smart card."  Don't change anything else.  Click Apply, then OK

After you click "Sign" in PureEdge, it may take a few minutes for the list of certificates to pop up. Be patient. Choose the certificate that doesn't say Email, and put a check in the box that says "Use this certificate as default" (if this is your personal computer).

Problem 8:  Receive " MUCreateDir(\Anthill_Build\Branch-API-Cannae-20050228\Api\src\masqutil\masqutil.c:10427 Tue Apr 19 21:59:46 2005):2696:32-> 22"

Cure 8-1: Try the same Cure as Problem #5 above

Cure 8-2:  Read the Tech notes on IBM

Cure 8-3:  Read Microsoft Support information

Cure 8-4:  If you are using Vista and the errors happened after macrovision, this is the fix.

Logon as an administrator (i.e. using your SA account) instead of right clicking and choosing "run as"(do not choose).

Open PureEdge to make sure it is running fine(if macrovision hasnt been installed already).

Install macrovision if not yet installed.

If you are unsure it has been installed, go ahead and run it and it will ask you to modify, repair, or uninstall. Uninstall it and reboot, then you can install it again.

Open PureEdge to see if it has the errors.

Go into regedit follow this path;

HKCU\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData

Before you install macrovision AppData key is:

C:\Users\**USER.NAME**\AppData\Roaming

After you install it, nothing will be in its place so you can copy the above key from another key ONLY  to roaming.

After, open PureEdge and and check to see if the errors were fixed.

Cure 8-5:  Uninstall ApproveIt 5.8.2, 5.9, or 6.1,  restart computer, Install ApproveIt 5.7.3.  Follow instructions below.  

PLEASE NOTE:  ApproveIt 6.1 & 6.5 are the only versions that will work with Lotus Forms.

Problem 9:  Pure Edge bar stalls half way across the screen when attempting to load a form

Cure 9-1:  Reinstall the DoD certificates & ApproveIt try to access your form again.

Cure 9-2:  Create a new profile and install Lotus Forms and ApproveIt from this new profile. 

Problem 10:  "Unable to complete the signature; the private key cannot be found or is inaccessible on the system.  Make sure you are using a good signing key or the right smart card."

Cure 10-1:   Look at ApproveIt Problem 4 above.

Problem 11:  Receive "Internal function call failed. at IFSObject_RegisterClass(\Anthill_Build/Branch-API-Cannae-20050228\Api\src\ifx\IFSObject.c:1997 Tue Mar 15 12:04:02 2005):2788"

Cure 11-1:  Uninstall ApproveIt 5.8.2, 5.9, or 6.1,  restart computer, Install ApproveIt 5.7.3.  Follow instructions below. 

Cure 11-2:  You can also try items listed at #9 above  or #5 in the LOTUS section

Problem 12:  If you receive an ePersona message, or "Add digital ID" with the choice of, I want to sign this document using? 

Cure 12-1:  Visit the Notes page to find out how to correct this.

Problem 13:  Unable to print forms from Pure Edge Viewer in Vista & Windows 7 64 bit systems with HP printers.  (Receive an error similar to:  Viewer : Printer Driver's EndPage() Failed at PRINT ERROR(.\src\FormViewer\PrintEngine\CPrintEngine.cpp:1960 Fri Jan 29 15:27:50 2010):2780:8) )

Cure 13-1:  Download a program like DoPDF, print your form to a PDF, then print on your printer

Cure 13-2:  Open Pure Edge, Select Preferences, Printing options, Uncheck "Print each page as a separate print job"

Problem 14:  Receive error message:  "Unable to initialize the API at C:\Progra~1\PureEdge\VIEWER1.5\API\65"

Cure 14-1:  Follow guidance to uninstall Pure Edge here.

VISTA UAC (USER ACCESS CONTROL)

back to top

Problem 1: If you do not like it, read below on how to turn it off.

Cure 1-1:  Visit How-To-Geek for easy screen shot views (I prefer this method)

Cure 1-2:  Video on Chris.Pirillo.com

Cure 1-3:  User Access Control message.  Here is a registry hack to turn User Access Control off (right click, save target as on DisableUACforAdmin.reg), then double click it.  You will not have to enter the registry with this small .reg file as it will automatically change the location in the registry for those of you who are uncomfortable working in the registry.  I use this registry hack on my Windows Vista computers and do not get the annoying message saying that I'm not safe.   If you feel you should have it after turning it off, here is another .reg file to re-enable the UAC (right click, save target as on Re-EnableUACforAdmin..), then double click it.

OTHER MISC ERROR MESSAGES

back to top

Problem 1:  The system could not log you on.  "The requested key container does not exist on the smart card."

Cure 1-1:  Have someone else log onto the same computer, double click ActivClient, Click on Tools, Advanced, Forget State for all cards.  This "other" person does NOT have to be an administrator.

Cure 1-2:  Visit Google Groups for another possible solution

Problem 2:   "Unable to sign using a certificate; there are no valid signing certificates available on the system.  Please select a different signing method and try again.  The Signature could not be created because the private key of the certificate could not be accessed." error.

Cure 2-1:  Latest DoD Certificates are needed, I have instructions where you can download them here

Cure 2-2:  Make sure you have restarted the computer after installing ApproveIt

Cure 2-3:  Make sure ActivClient is installed (unless using Windows 7 with a 144 or 5.5 CAC)

Cure 2-4:  Verify your CAC is not expired.  If so, you will need to visit an ID card office to get a new CAC.

Cure 2-5:  Follow this guide for modifying the ApproveIt install

Cure 2-6:  Uninstall ApproveIt 5.8.2, 5.9, or 6.1,  restart computer, Install ApproveIt 5.7.3.  (Only on XP and Vista systems)  Follow instructions below.  PLEASE NOTE:  ApproveIt 6.1 & 6.5 are the only versions that will work with Lotus Forms.

Cure 2-7:  Create a new profile and install Lotus Forms and ApproveIt from the new profile. 

Problem 3:  Unable to install the DoD Certificates, or you keep getting "Unable to sign using a certificate; there are no valid signing certificates available on the system."

Cure 3-1:  Download the InstallRoot file to your computer, then Right click it and select Run as an Administrator

Cure 3-2: Create a second profile and install DoD Certificates from the new profile.

Problem 4:  "The signature could not be created because the private key of the certificate could not be accessed"

Cure 4-1:  Look at #2 above

Problem 5:  "The specified CSP doesn't contain any unexpired digital signature certificates matching your certificate filter (see Advanced Preferences)."

Cure 5-1:  Restart Computer after installing Approve It (multiple restarts might be required).

Cure 5-2:  For Pure Edge:  Open Preferences, Advanced (tab), clear all contents out of the Digital Certificate Identity Filter box, Path to Netscape profile, and uncheck the Check CRL distribution points box.

Cure 5-2a:  For Lotus Forms Viewer:  Click File, Preference, Advanced Settings, clear all contents out of the Digital Certificate Identity Filter box, and uncheck Check CRL distribution Points.

Cure 5-2b:  Replace se_cryptoapi.ifx  follow instructions below (or this PDF).

Here's How:  Make sure you are using Lotus Forms 3.5.1.123

1. Navigate to:  C:\Program Files\IBM\Lotus Forms\Viewer\3.5\API\76\System\

2. Rename se_cryptoapi.ifx to se_cryptoapi.ifxORIGINAL

3. Move this file out of the directory by cutting it, then pasting somewhere (like your desktop)

4. Copy and paste this new se_cryptoapi.ifx to:  C:\Program Files\IBM\Lotus Forms\Viewer\3.5\API\76\System\

5. Start the viewer and restest the digital signature.

Cure 5-3: Uninstall ApproveIt 5.8.2, 5.9, or 6.1,  restart computer, Install ApproveIt 5.7.3.  Follow instructions below.  PLEASE NOTE:  ApproveIt 6.1 & 6.5 are the only versions that will work with Lotus Forms.

Cure 5-4:  Follow the instructions located here to clear old Certificates out of the browser.

Cure 5-5: Create a new profile on your computer and install ApproveIt from the new profile.  Make sure you uninstall it first from your current profile, restart computer before reinstalling.

Problem 6:  Receive a "MASQFORM.exe" error when using PureEdge

Cure 6-1:  Copy and paste libeay32.dll from C:\Program Files\ApproveIt to the following folders: 

C:\Program Files\PureEdge\Viewer6.5\extensions  and to: 

C:\Program Files\PureEdge\Viewer6.5\API\65\System   PDF with full instructions

Problem 7:  Receive "Unable to install Microsoft visual C++ 2005 Redistributable Package.  Contact your IT support" error when installing ActivClient 6.1

Cure 7-1:  Re-Extract the files and run again

Cure 7-2:  You may have to re-download, then re-extract that file

Cure 7-3:  Create a new profile on your computer and install ActivClient from the new profile.

Problem 8:  Receive the following error "An installation support file could not be installed.  The system cannot find the file specified."  when trying to install ApproveIt with Pure Edge Viewer.

Cure 8-1:  After performing the uninstall / reinstall steps and you still get the error message.  Try the following:

Go to Start, Run (Start Search) and enter 'regedit' and delete the following key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

{E00000650-0650-0650-0650-000000000650}

This will remove the entry for the 6.5 Viewer in the Add/Remove programs list.

Following this, they should run the installer with Administrative privileges. 

Problem 9:  Receive the following error "Please enter the master password for the ActivIdentity ActivClient 0."  when using Firefox.

Cure 9-1:  Enter your CAC [6-8 digit] PIN

Cure 9-2: You are getting this error because you are trying to use Firefox and your CAC.

You have 2 options, first is to switch over to Internet Explorer for any websites you need to use your CAC.  Second option is to visit the Firefox support page and attempt to get your Firefox working using the instructions.

NOTE:  Firefox will only work with ActivClient (or OpenSC) installed.  Therefore if you are using the Windows 7 built in Smart Card utility, it won't work.
 
 

Problem 10: Certificate box comes up empty when trying to access a secure webpage.

Cure 10-1: Latest DoD Certificates are needed, instructions are here

Problem 11:  Receive error message:  "Local policy does not allow you to log on interactively." 

Cure 11-1:  Latest DoD Certificates are needed, instructions are here   

Problem 12:  Government owned Vista computer will not read CAC after computer is locked.

Information:  Sometimes when a user locks their Vista computer, they are unable to unlock because their CAC will not read.  The research points toward buffer overflow errors and memory write errors due to registry key permissions.  Two workarounds have been found:

Cure 12-1:  Disable Windows Aero theme, instructions can be read on HowToGeek or LanceLHoff

Cure 12-2:  Unplug and re-plug in the CAC reader or keyboard w/CAC reader (this is the equivalent of rebooting the reader, but only works for external CAC readers)

Problem 13:  Problem accessing some CAC enabled websites

Cure 13-1:  Run this .bat file to clear out old certificates from your computer.  If your computer blocks the download, please download this file and remove the .txt from the end of the file name.

CURRENT PROBLEMS WITH NO KNOWN RESOLUTION

Please continue to check back later to see if a cure has been found

If you've found a cure for this, please contact me

Problem:  Unable to complete operation; an ApproveIt component (ApproveItFrameworkResource.dll) is missing or corrupt.  Please repair your ApproveIt Installation and try again.

OTHER QUESTIONS

back to top

Question 1:  How can I set up my personal Windows computer to be able to login with my CAC (like my government computer)?

Answer 1-1:  You can try this information if you are using Vista or Windows 7.  (I have not tried this).  Please let me know how this works for you.  I only have 1 CAC, and need to access multiple computers at the same time.  So, I can't afford to tie it up on one computer.

Video

Answer 1-2:  From what I've been able to figure out over the years, you will need a Domain Controller running smart card authentication.  This way you can put the correct settings in your user accounts that will tell your computer through Group Policy that it has to use a CAC to be able to logon to it. 

More information:  Unless your computer is joined to the domain/forest from which the card was issued, you can't use the card for logon.  Smart card logon to a Windows system requires Kerberos authentication and in a work group environment you don't have or use Kerberos.   Your computer would have to be connected to the DoD domain for the initial logon at which time the logon credentials are cached. You would then be able to logon without a connection to the DoD network.  Your home computer is not joined to one of the DoD domains, so you'll never be able to use your CAC for login.

My personal thoughts:  It is not worth the money to have to set up your own domain controller server at your house for one computer to be able to logon to a personal laptop with a CAC.  I would not want that either because I only have 1 CAC, and I am using 2 computers at a time almost all of the time.  So, one is using my CAC (my work computer) and the other is a normal logon and password.

Notes from a person who has tried this:  "The solution listed above worked great.  Just remember after restart when you set it up, the first password you put in is the User Account Password, then when clicking finish to test, I had to select the second certificate on the popup. All went well!"

Question 2:  Can I set up my personal Mac computer to be able to login with my CAC?

Answer 2-1:  Follow this guidance from the Advanced Technologies team

Answer 2-2:  Follow this guide

Question 3:  Are Individual Ready Reserve (IRR) Soldiers eligible for a Common Access Card (CAC)?

Answer 3-1:  IRR Soldiers are issued the Armed Forces of the United States Geneva Conventions Identification Card (Reserve) (Green).  If on active duty orders for 31 days or longer the IRR Soldier can get a CAC.

Members being released from active duty with a Military Service Obligation (MSO) are part of the IRR and will be issued the green Reserve ID cards.

Question 4:  Are retirees and family members eligible for a Common Access Card (CAC)?

Information:  The CIO/G6 recognizes the need to provide stronger authentication for retirees and is working a pilot program to provide Smart Cards with DoD PKI certificates to Army retirees and spouses.  The cards will be used as an alternative to username password login to Army websites.  The pilot is limited to 2,500 users and will evaluate user experience and the overall acceptance of using the card as a replacement for username password login. Other alternatives such as One Time Passwords are also being considered.  Sites such as MyPay will be allowed to continue to use username and password until a stronger authentication solution is fielded.  However, CAC ability is available now.

Friends, Family Members, Retirees (FFRs) and Wounded Warriors will be provided a separate portal that will offer services currently available to them on AKO.  FFRs and Wounded Warriors will continue to access AKO via
username and password until the new portal is available. 

UPDATE:  This program is not taking any new people after 31 January 2012

Question 5:  My PBUSE worked the other day, now it does not work anymore.

Information: Changes were made to the PBUSE Enterprise configuration to increase SSL encryption security, per DoD requirements.  These changes are needed to support the System Accreditation.

Answer 5-1:   Users accessing PBUSE using a Tier I built system are not impacted.   For users using a non-issued PBUSE work station configuration, you must change the web browser settings in order to access PBUSE.  Click on this link to read the instructions on how to change your computer's Security Settings.  These actually mirror the same settings shown at the AKO Solutions page #4

Question 6:  I have retired and do not have a CAC anymore.  How do I access my military records, since iPerms is 100% CAC authentication?

Answer 6-1:  Your records are archived; therefore, veterans and authorized family members must request a copy of their records by submitting a prepared Standard Form 180 to the appropriate address listed on the back of the form or by going to the following website to submit the request electronically:

http://www.archives.gov/veterans/evetrecs/

If you are not "computer-savvy," or want to discuss this with someone at the facility, the number to call is 1-866-272-6272.

Answer 6-2:  Visit the National Personnel Records Center, Saint Louis website

.

Question 7:  TLS 1.0 will not stay checked, and / or SSL 2.0 keeps checking itself in Internet Explorer

.

Answer 7-1:  Open Internet Explorer, Select Tools, Internet Options, Advanced (tab), click the Reset...(button)  under Reset Internet Explorer settings

 .

Answer 7-2:  Create a new profile on your computer

.

Answer 7-3:  McAffee Antivirus can also cause this problem.  If this is a home computer, try uninstalling McAfee, restart computer, then see if you still have the same problem.  You still need protection, so, look here for other Antivirus programs.

.

Question 8:  You are not able to access your old CAC encrypted files after receiving your new CAC.

.

Answer 8-1:  Start following the instructions on page 15 of this PDF.

THE WORD SIGN IS GRAY

back to top

The ideas on this website are from my personal experience.  I have been told by Army Publishing Directorate (APD) to send users to their help desk so they become aware of the problems with this program.  703-692-1306 / DSN:  312-222-1306, Webform, or apdfcmp@conus.army.mil 

If you are having problems accessing the CHESS website, contact the CHESS help desk at: peoeis.pdchess.helpdesk@us.army.mil or 888-232-4405 / 703-806-1019 / DSN: 312-656-1019 (Monday - Friday 0800-1700 EST).

Problem 1:  Unable to sign forms because the Sign box stays gray (even after downloading the latest DoD Certificates following the instructions on the DoD Certs page). 

Cure 1-1:  Verify that you do have ActivClient & ApproveIt installed AND the computer has been restarted.

Cure 1-2:  Verify that you installed ApproveIt AFTER Lotus Forms or PureEdge, if not, uninstall ApproveIt, restart computer, install again, then restart one more time.

Cure 1-3:  Try signing this form.  If you can, then your software is installed correctly.  This is common when using MyForms and the form was routed to you as a copy instead of as an original.  When this happens, you cannot sign the form.  You HAVE to have the form routed to you as an original, if not you will not be able to sign it.  You can verify if this is the problem by clicking on this sample form and attempt to sign any of the 3 possible places at the bottom of this form.  If your digital signature works there, you know what to do now.

Cure 1-4: If you have recently updated to Lotus Forms, please look above

Cure 1-5:  The DA 4651 [is one form] that IF signed out of order will make the word Sign gray for all signatures above the one already signed.

Cure 1-6:  Follow these instructions provided by the US Army Publishing Directorate

Cure 1-7: Follow Lotus Forms #2 above

Cure 1-8:  If you are using ApproveIt 6.1, try restarting your computer first and retesting before trying Cure 1-9

Cure 1-9:  Uninstall Approve It 5.8.2, 5.9, or 6.1, Install ApproveIt 5.7.3   (Using Instructions below).  PLEASE NOTE:  ApproveIt 6.1 & 6.5 are the only versions that will work with Lotus Forms, so this option is not available when using Lotus Forms.

Cure 1-10:  Go to Start->Run->type in Regedit (Anytime you make changes to the Registry it is a highly recommended you back it up first)

Navigate to:

"HKEY_CURRENT_USER\Software\Silanis\ApproveIt\Signing\RealTime"

  - Expand / open 'RealTime' you will see (or should see) several entries  for signing devices, you will need to select/highlight each entry, then in the window pane on the right, double click to open the entry  'EnableDevice'

 - When this opens, you will need to change the Value to 0

 - Change the Value to 0 for all the entries excluding 'NameFilters,'  which is not a device descriptor

 Once you have changed the Value to 0 for all the device types, close  the registry, restart your computer, then try to sign a form.

Download ApproveIt 5.7.3 from  https://www.us.army.mil/suite/folder/14339407  you will be auto approved once you authenticate with your AKO account.  Download the file titled:  ApproveIt 5.7.3.zip It is Very important to follow Instructions below  (NOTE:  If you are using Lotus Forms, only ApproveIt 6.1 or 6.5 will work, all older versions will not).

Instructions:  Once at the Approve It 5.7.3 download link, save the file to your computer.  Uninstall Approve It 5.8.2, 5.9, 6.1, or 6.5 And delete the ApproveIt folder (located at C:\ProgramFiles\) or C:\ProgramFiles(x86) (on a 64 bit system), then restart your computer (make sure the download is complete first).  Once restarted, Right click the zip file and select EXTRACT.  After extracting, select the setup.exe (if you don't see the extensions, it will be the one that is 56KB in size) from the folder it just made.  Give it about 2-3 minutes, verify the installation by going to Add/Remove Programs (XP), or Uninstall a Program (Vista & 7).  Once you see Approve It 5.7.3 listed, restart your computer.  It should work fine now.