- SCM's SCR3310 and SCR3310v2.0 are small and ergonomic USB smart card readers, with backside mounting holes. The readers are ISO 7816 compliant, and can be used for cards in ID 1 card format. Update your SmartCardReader USB drivers for model SCR3310.SCM's SCR3310 and SCR3310v2.0 are small and ergonomic USB smart card readers, with backside mounting.
- SCR3310 v2 Card Reader (CAC-Approved) $37.00 As low as: $31.00. UTrust 2700 F Contact Smart Card Reader. SCM's SCR3310 and SCR3310v2.0 are small and ergonomic USB smart card readers, with backside mounting holes.
Steps to Installing Your CAC Reader on Your PC Overview
Card reader is not recognized. Shows up as 'STCII Smart Card Reader' C. Shows up as 'USB Smart Card Reader' (not necessarily a problem) D. Does not read your 'Gemalto TOP DL GX4 144', 'Oberthur ID One 128 v5.5 Dual' CAC. Does not read your CAC when using your Mac. NO TE: We are hearing Mac users having problems with the SCR-331 reader.
- Ensure your CAC Reader works for PC.
- Check to make sure your PC accepts the CAC reader.
- Update Your DOD Certificates.
- Verify you have the right ActivClient for your branch.
This is the easiest part of the install seeing as almost all CAC readers work for PC. I’ve gone ahead and put together a list of some of the best CAC readers available. Check these out!
[tcb-script src=”https://api.tablelabs.com/t/8iuqt65d.js” defer=””][/tcb-script]
Once you’ve received your CAC reader, the next step is to plug it in and verify your PC recognizes it. If you have selected any of the above readers, you should be good to go. Your computer may actually begin to install the appropriate drivers needed automatically. However if that doesn’t happen, follow these steps to get started:
For Windows 10 Users:
- Right Click the Windows Logo found in the lower left-hand corner of your screen.
- Click System, then Device Manager
- Scroll down to where it says Smart Card Readers and click on the little triangle next to it to get started.
For Windows 7/8 Users:
- Right Click My Computer and select Properties
- Next select Device Manager and scroll down to Smart Card Readers
- Select the little triangle next to it in order to get started.
After your drivers have been installed, it’s time to move on to the next step.
To access DOD websites from home, you first need to have DOD permissions certificates on your home computer. These are simple enough to acquire though.
Using InstallRoot will make this issue monumentally easy through their simple to follow wizard. You can download InstallRoot for Windows from the following link:
This is the latest version of InstallRoot. Be sure to update your version if having issues.
Once you have downloaded the program, simply run it. It will take you step-by-step on how to update your DOD certificates. After the installation, you can also verify that your DOD certs have been uploaded successfully.
This can be done by heading to your certificate management settings on your default Internet browser and checking to see if the certificates are listed.
After you’ve verified your DOD certificates, you next need to update your ActivClient–more specifically for your appropriate Branch of Service (if applicable).
ActivClient is a program that allows your computer to communicate with the chip on your CAC and relay that information between government websites. Making sure you have this installed is very important.
SO, you need to make sure that your ActivClient is up-to-date. Find your specific branch’s through the links below.
- Army- In order for these links to work, you’ll need to copy and paste the entire link. Clicking directly on these will transport you to the homepage of AKO instead of to the download link. For Windows 32-Bit, use this link (32-Bit AKO LINK). For Windows 64-Bit, use this link (64-Bit AKO LINK).
- Navy- Unfortunately, you need to get the client through your command’s IT personnel.
- Air Force- The Air Force has not made it easy to acquire this software. However it is available for purchase at an ActivClient vendor such as here.
- Marines- You’ll need to purchase ActivClient from an outside vendor. Check out this one!
- Coast Guard- Purchase ActivClient from third-party vendor.
- DOD Civilians- Acquire through vendor.
You Should Now Have CAC Access at Home!
But if not… There’s usually one particular reason. Your CAC card itself needs updating. Older versions of the card, do not meet the minimum requirements to access. To fix this, just head into your local PSD, and request a new CAC that does have access.
There are times your smartcard either refuses to work or lets you into one function but not another (e.g., you can unlock the screensaver but nothing else). This page is an effort to help you isolate the cause of the problem.
The card reader and badge dance
Most of you are probably already familiar with this dance, where you should try:
- Reinserting the badge (sometimes a strong insertion is needed)
- Trying the card reader in another USB port on the computer
- Cleaning the badge chip with a pencil eraser (yes, really!)
By the way, it is a good idea to get to know the normal pattern of your card reader when it is functioning: Does it flash quickly when readingthe card and then go constant? Turn off? Knowing that will help whenabnormal behavior is observed.
Logging in to the computer
FileVault screen/ Login screen
When you first boot a FileVault-encrypted Mac, it is a very low-level process that has not loaded the libraries for handling smart cards (or nearly anything else). So the first screen (with large circle icons for 'ASD Admin' and your own account requires your local accountpassword.
If you keep your local password in sync with your NDC password, then you should try that. But we have seen them get out-of-sync, so if your currentpassword is number 'N,', please try your previous ones: 'N-1', 'N-2', etc.
Once you are successful, the internal drive will be unlocked and a standardboot sequence will proceed. After accepting the NASA security banner, this is where you should be prompted for your PIN.
Screensaver
If the Mac refuses to prompt you for your PIN (still says Enter password) and you have reason to believe your badge and reader are fine,then click 'Switch User' at the bottom of the screen. Final fantasy 7 eboot. This is often sufficient to get the smart card PIV PIN prompt.
Enterprise Connect headaches
Please seethis separate document for advice on how to clear upincessant 'ecAgent' dialog boxes or other problems with Apple's Enterprise Connect.
Checking your certificates
Smartcard validation failure
There are two pieces elements of your Mac's setup which may be remnantsfrom previously-recommended or -required configurations, but they can nowinterfere with the proper functioning of your smartcard. In addition, you may need to reinstall the NASA Trust Anchor Management (NTAM) set of security certificates (which show up in System Preferences → Profiles),if your NTAM settings are out-of-date, missing, or incomplete.
- Check whether your machine is still bound to Active Directory. You can do this from the command line with
dsconfigad -show, which will show about 25 lines of output if you are bound to AD and nothing at all if you aren't.
The other way is to look at System Preferences → Users&Groups, click on 'Login Options' in the lower left, and see whether it shows 'NDC' with a green light (bound to NASA Domain Controller (NDC)) or show a greyed-out 'Network account server: Join' (not bound).
Please inform the ASD system team if you are still bound. - Please look in the Utilities folder (under /Applications) for the 'ActivID ActivClient Uninstaller.' If it is there, and your OS is macOS 10.14 Mojave or higher, please run that uninstaller (if you are an admin on your Mac) or run the same uninstaller from Self Service.app (if you are not an admin).
- To reinstall the latest NTAM, please click this Jamf policy to reinstall NTAM link. (This URL should offer to open Self Service.app for you.)
Smartcard certificate not trusted
The certificates on your badge not only have an expiration date, they have an issue or start date. If your computer's battery runs all the way down,the OS will reset the clock to some definition of 'the beginning of time'. Recently, we have seen that as January 1, 2019. If your badge's start date is after that, then your badge is not yet valid!
Solution
The fix for this is to reset the clock, of course, but how do you do this when you cannot even log into the system? Recovery Mode. This technique should work, even if you are not an administrator.- Reboot your computer, holding down (⌘-R) immediately upon the reboot sequence starting. You can let go of ⌘-R when the progress bar appears.
- When the main menu comes up (the boot sequence is slow!), choose Terminal from the Utilities menu.
- Type date (and hit Return, like with all UNIX commands). You should see the current date. If is is January 2019, we need to fix it.
- The format of the date command is rather odd: MMDDhhmmYYYY, i.e., month-day-hour-minute-year. Thus, would reset the clock to March 24, 2020 at 5:17am.
- Run date again (no numbers, just the plain command) to make sure things look OK.
- Quit from Terminal.
- Reboot the computer.
- Famous last words, that should fix the timing problems with your badge.
Not sure if your badge or card reader are any good
These tests can be done on your Mac if you are able to log in and from another Mac if you have one available. (Even a personal Mac is OK, as this does not need special software in most cases.)
Testing your card reader
You can test your card reader with pcsctest (provided by Apple in /usr/bin and also on many Linux systems). Run that command and answer '01' when it asks about the first card reader it finds. It will ask you twice, and enter '01' both times.You want to see Command successful multiple times. (Control-C will get you out of this if it's stuck.)
You will want your badge inserted in the card reader for this pcsctest command.
Software For Scr3310 Cac Card Reader Software
Testing your badge
You can also try reading the card from the command line, using Apple's command-line version of System Profiler (called System Information in recent versions of the OS).
In a Terminal window, type: (which will work if /usr/sbin is in your $PATH. You want to look forprinted out certificates with valid dates. If you see only 10-15 lines of total output, you have a problem with your card!
Or
You can see the certificates on your card with an application called 'TokenShow'.To install it, go to Self Service.app and search (upper left) for 'tokenshow' andinstall it. It will show you the current and expired certificates.
Or
The certificates are encoded in something called PEM format. You can download an ASD-developed (python 2.7) script cert_read.py [control-click and 'Save Link As'] which makes it far easier to understand the output from the above system_profilercommand. Download the command and either make it executable (chmod 755 cert_read.py) or run it with/usr/bin/python cert_read.py.
Other tests you can do
Outlook Web Access
Are you able to log in to the web version of Outlook?Try it here: https://outlook.office365.com. Give your username as<Your_AUID>@ndc.nasa.gov (not your email address).
Testing command-line PIV functionality
Use our PIV instructions (originating from a Macor Linux computer) to see whether your badge works for that.This can help determine whether your problem is in your badge or in NDC account.