Weblogin

PIV or zToken Login Help


You can use your PIV or zToken to log in to Weblogin.


Requirements

  1. A Lab-issued PIV or zToken.
  2. A SmartCard reader.
  3. An operating system with SmartCard middleware installed.
    See System Setup
  4. A browser that supports SmartCards for client certificate authentication.
    See Browser Setup

System Setup

Your operating system may require additional software.

Windows
Install ActivClient through the Application Catalog / Software Center.
macOS
macOS Sierra (or newer) with Safari
No additional software required.
macOS Sierra (or newer) with Chrome 65 (or newer)
No additional software required.
macOS Sierra (or newer) with Firefox
Install Keychain PKCS11
All Others
Install OpenSC
Linux
Install the following packages from your distribution:
  1. opensc
  2. pcsc-lite-ccid

Browser Setup

Your browser may require additional configuration.

Internet Explorer
No additional configuration required.
Safari
No additional configuration required.
Chrome
Windows
No additional configuration required.
macOS
No additional configuration required.
Linux with Chrome 64-bit
  1. Install the nss-tools package from your distribution.
  2. Close all Chrome windows.
  3. mkdir -p $HOME/.pki/nssdb
  4. modutil -dbdir sql:$HOME/.pki/nssdb/ -add "OpenSC" -libfile /usr/lib64/opensc-pkcs11.so
Firefox
  1. Click the icon.
  2. Click Options / Preferences (dropdown menu item)
  3. Type: security devices
    [The 'Find in Preferences' search entry is already selected.]
  4. Click
  5. Stop if you see any device with the following in its name:
    • ActivClient
    • Keychain PKCS11
    • OpenSC
  6. Otherwise, Click
  7. Change Module Name to:
    Windows
    ActivClient
    macOS with Keychain PKCS11
    Keychain PKCS11
    macOS with OpenSC
    OpenSC
    Linux
    OpenSC
  8. COPY and PASTE the appropriate value into the Module filename field:
    Windows with Firefox 32-bit
    C:\Program Files (x86)\HID Global\ActivClient\acpkcs211.dll
    Windows with Firefox 64-bit
    C:\Program Files\HID Global\ActivClient\acpkcs211.dll
    macOS with Keychain PKCS11
    /usr/local/lib/keychain-pkcs11.dylib
    macOS with OpenSC
    /Library/OpenSC/lib/opensc-pkcs11.so
    Linux with Firefox 32-bit
    /usr/lib/opensc-pkcs11.so
    Linux with Firefox 64-bit
    /usr/lib64/opensc-pkcs11.so
  9. Click OK
  10. Click OK

Authentication Process

  1. Ensure that the SmartCard Reader is plugged into your system.
  2. Ensure that your PIV or zToken is inserted into the reader.
  3. Click 'PIV or zToken Login'.
  4. Click the 'Use PIV or zToken' button.
  5. The browser will make a background request for https://sc.weblogin.lanl.gov/client_auth
  6. The browser will wait between 20 and 60 seconds for a completed signal from this request. If no signal is received then the 'Please try again.' message is displayed.
    See Attempts result in 'Please try again.'

  7. When prompted you must select the correct certificate for authentication. The correct certificates for each browser type are listed below.

    Internet Explorer / Edge
    (Make sure to choose the certificate marked with Authentication - NOT the one marked with Signature -

    Click More choices if Signature - is shown.)

    Authentication - YOUR NAME
    (DOE_AFFILIATION)
    Issuer: Entrust Managed Services SSP CA
    Firefox
    (Make sure to choose the certificate marked for Key Usages: Signing NOT the one marked for Key Usages: Signing,Non-repudiation. .)

    YOUR NAME  (DOE_AFFILIATION) [SERIALNUMBER]
    Chrome
    YOUR NAME  (DOE_AFFILIATION)  Entrust   SERIALNUMBER
    Safari
    YOUR NAME  (DOE_AFFILIATION)  (Entrust)

  8. Enter your PIN to unlock the PIV or zToken.

  9. The page will display a failure message if there was a problem with Authorization.

Troubleshooting

Attempts result in 'Please try again.'

This means that the browser was unable to access the PIV or zToken or that an authenticated connection could not be established with the server.

  1. Remove the PIV or zToken from the reader and reinsert it.
  2. Retry PIV or zToken Login
  3. Close all browser windows and reopen the page.
  4. Retry PIV or zToken Login

If this problem persists then:

  1. Ensure that your system meets the PIV or zToken Requirements

  2. Manually visit the PIV or zToken Client Auth page.

    A page with any of the following errors indicates a problem meeting the PIV or zToken Requirements :

    • Can't connect securely to this page
    • Secure Connection Failed
    • This site can't provide a secure connection

Attempts result in 'Wrong Certificate'.

This means that the wrong certificate on the PIV or zToken was selected for authentication.

Your browser needs to be reset so that it will give you a choice of certificates:

  1. Remove the PIV or zToken from the reader and reinsert it.
  2. Close all browser windows and reopen the page.
  3. Retry PIV or zToken Login with a different certificate.
    • See Authentication Process for the list of correct certificates by browser.
    • If you selected a matching certificate then try the next matching certificate from the available certificates.
Attempts result in 'Authorization Failure'.

This means that the certificate on the PIV or zToken was correctly presented to the server, but the attributes in the certificate are not correctly mapped to a user.

Here are some questions to aid in troubleshooting:

  1. Is your training up to date?
  2. Is your PIV or zToken expired?
  3. Was your PIV or zToken recently reprogrammed? Data propagation can take up to one hour.