ACCESS MANAGEMENT SYSTEM
U.S. Department of Health & Human Services

ActivIdentity and Web-based PIV Authentication Troubleshooting

Use this guide to verify user PIV/CAC authentication to AMS.

Note: This guide assumes a user is receiving a "page can't be displayed" or "SSL error", such as the example image show below.

PIV Authentication Error Message

Step 1 - Verify AMS Certificate Path

  1. Using Chrome, select the padlock icon to check the certificate
  2. Click on the "Connection is Secure" option
  3. Select the "Certificate is valid" option
  4. Click on the "Certification Path" tab
Verify AMS Certificate Path

AMS certificate should appear EXACTLY as shown in the 3rd image above. If the certificate appears differently, the user's SSL connections are being managed by a proxy or security device.

How to resolve: Work with network or laptop support to whitelist *.hhs.gov sites.

Step 2 - Verify User Certificate Path

  1. Using Chrome, go to https://ams.hhs.gov
  2. Select the "HSPD-12 Access Card" tab, if not already selected, and click on the "Agree" button
  3. A Certificate Prompt will appear to select a certificate. Click on the desired user certificate.
  4. Select "Certificate Information" for the authentication/login certificate and click on the "Certificate Path" tab when the Certificate popup appears
Verify User Certificate Path

The Certificate Path will vary based on user Certificate, HOWEVER, each Root in the chain SHOULD NOT be expired or invalid.

How to resolve: Remove/update/untrust any expired certificates. See “Appendix A: How to Untrust a CA certificate” for detailed instructions or contact IT Support for assistance.

Step 3 - Verify User Certificate

  1. Using Chrome, go to https://ams.hhs.gov
  2. Select the "HSPD-12 Access Card" tab, if not already selected, and click on the "Agree" button
  3. A Certificate Prompt will appear to select a certificate. Click on the desired user certificate.
  4. Enter PIN when prompted
Verify User Certificate

If the user DOES NOT receive a PIN prompt after Step 3 above, there may be an issue with the certificate (i.e., expired or an old cached certificate) or the reader, device, or PIV card.

How to resolve: Follow certificate remove/clear cache steps. If the issue is still not resolved, contact the User’s IT Support Desk.

Step 4 - Verify User Certificate is Valid

  1. Go tohttps://piv.test.max.gov/debug?certDetailsOnly
  2. Enter PIN when prompted
  3. A Certificate Prompt popup will appear. Select the appropriate authentication/login certificate and click on the "Ok" tab
  4. Enter PIN when prompted
  5. A PIV Certificate Validator page will appear
Verify User Certificate is Valid

If the PIV Certificate Validator page retrieves an "INVALID" Validation Result, or if the page does not populate with data at all, then there is an issue with the certificate or chain.

How to resolve: Contact the User’s IT Support Desk.

Appendix A: How to Untrust a CA Certificate

How to Untrust a CA Certificate Create Certificate to Untrust
  1. Go to https://ams.hhs.gov
  2. Select the "HSPD-12 Access Card" tab, if not already selected, and click on the "Agree" button
  3. A Certificate Prompt will appear to "select a certificate". Click on the appropriate user certificate, then select the "Certificate Information" button
  4. Click on the "Certificate Path" tab
  5. Select the certificate to untrust (example: expired G4), and select "View"
  6. Go to the "Details" tab and select "Copy to File". Select all defaults and save the file to your desktop
  7. Close the Certificate window
Add CA to Untrusted
  1. Go to your Windows Start Menu and type "Certificates"
  2. Select "Manage User Certificates"
  3. Right click on "Untrusted Certificates" and select "All tasks". Select "Import"
  4. Select the certificate saved to desktop from Step 6 under "Create Certificate to Untrust"
  5. A "Successful import" prompt will appear. The certificate shoudl appear under "Untrusted"
  6. Restart your browser

Appendix B: How to Clear Certificate Cache

  1. Go to your Windows Start Menu and type "User Certificate"
  2. Select "Manage User Certificates"
  3. Click on the "Personal" folder down arrow under "Certificates - Current User" and Select the "Certificates" folder
  4. Highlight all certificates under this folder. Right click and select "Delete"
How to Clear Certificate Cache

Appendix C: How to Export and Clear Out Certificates

Step 1 - Select PIV/CAC Login Option

  1. Launch the Chrome browser and go to: https://xms.hhs.gov
  2. Click the "PIV or CAC Login" tab, and select the "Login" button
  3. Select "Agree" to agree to the Terms and Conditions
Select PIV/CAC Login Option

Step 2 - Select Certificate

  1. Select the desired certificate, then select the "Certificate Information" button
  2. Select the "Details" tab
Select Certificate

Step 3 - Copy to File Option

  1. On the "Details" tab, select the "Copy to File" button
Copy to File Option

Step 4 - Certificate Export Wizard

  1. The Certificate Export Wizard pop-up window is displayed
  2. Select the "Next" button to walk through the certificate export process
  3. Select P7B format with full chain, then click on the "Next" button
  4. Select the "Browse" button
  5. Browse to the location where you would like to export the file (i.e., Desktop)
  6. Enter a filename for your certificate, adding a "p7b" extension at the end ( i.e., mycert.p7b)
  7. Select the "Save" button
  8. Confirm the file location and select the Next button
  9. Select the Finish button and a confirmation pop-up will be displayed. Click OK to close out

Step 5 - Clear Store Certificates

  1. Launch the Chrome browser
  2. In the upper right-hand corner, select the three dots
  3. Select "Settings" from the drop-down list
  4. In the search box, enter "certificate" and press the enter key
  5. Select the "security" option
  6. Scroll down and select the "Manage certificates" option
  7. Select the certificate(s) that you would like to remove
  8. Select the "Remove" button
  9. Click on the "Yes" button, and the certificates will be removed from the list