This page was created to help users access AVHE medical applications and DEE Webmail from home.
It was originally intended to help Mac users access these applications but I have added some information for Windows users as well.
I know it can get technical and a bit wordy, but please try to follow these instructions in order and do specifically what they ask you to do.
Each blue section header is labeled with Mac and PC so you know if the section applies to your platform.
We have to get your computer set up with a very specific configuration to work correctly. That takes a little bit of work.
If you find yourself stuck, send me an e-mail. My contact information is in the Outlook Global. I'm the only Lt Col Jacob Wessler in there.
Please include a screenshot of your current error. (Mac Screenshot | PC Screenshot)
Good luck!!
Jacob
Get one of these two CAC readers. (click the links to shop at Amazon. These are NOT affiliate links. I don't make any money from you clicking them.)
PC USERS - Some folks still have success with the SCR331. But, you'd be safer buying a new one.
MAC USERS - Stay away from the SCR331. It's pretty old and doesn't play well with the current setup.
It looks like this:
Before we talk about CAC enablers, we need to know which version of macOS you are running.
To find your operating system, click the Apple icon in the top left corner of your screen and select "About this Mac." The pop-up will tell you what version is installed (ex: Version 10.15.4).
If you have macOS 10.15 or later, read the below subsection. If you have 10.14 or earlier, skip this subsection and move down a bit.
For macOS 10.15 (Catalina) and later, you CANNOT install a CAC enabler. The operating system has built-in software to read your CAC.
1) If your computer is BRAND NEW with macOS 10.15 or later and you have never installed a CAC enabler on it - DON'T INSTALL ONE. You can skip ahead.
2) If your computer is older and you upgraded to Catalina, you may need to remove any old CAC enablers and re-enable SmartCard services (if you disabled it).
Go to this article from militarycac.com and follow the instructions to remove any old CAC enablers you may have installed on your computer. (If you bought a brand new computer with macOS 10.15 installed, you can skip this step.)
If you have previously disabled the included SmartCard services in macOS 10.13 Sierra or later, you will need to re-enable those services. Those instructions are at the very bottom of this page in NOTE3.
If you're reading this, then you have macOS 10.14 or EARLIER installed (Mojave, High Sierra, Sierra, etc). If you have macOS 10.15 (Catalina) installed READ THE PART ABOVE FOR macOS 10.15!!!
Now that you have a CAC reader, you have to install some software to make it work with your Mac.
To choose the right software, we need to know if you have a Gemalto or an Oberthur CAC. Look on the back at the top of the card. There is a small strip of numbers and words. Look for Gemalto or Oberthur.
Go to this site and find the right CAC enabler for your CAC type and your Mac operating system.
In general, if your CAC is a Gemalto, you will download Smart Card Services.
If your CAC is an Oberthur, you will download CACKey.
PKard is an option (and has its apostles) but you have to buy the software (~$40). I have had success with CACKey for the past 8 years. You can likely get away without having to pay for PKard, but it is available as a last resort.
Apple has a safety feature called Gatekeeper. This program prevents you from installing potentially dangerous software. Basically, any software that is NOT distributed directly from Apple is considered dangerous. In order to install certain programs (like the CAC reader software and CITRIX), you may need to disable Gatekeeper.
Go to this article from Apple to learn how to disable Gatekeeper or bypass it for one application. If you disable it, please re-enable it after installing CITRIX.
Now that you have the software installed, you should make sure it works. Plug your reader into your computer, put your CAC in the reader, and open Keychain Access. (Click the magnifying glass in the top right of your screen and type in Keychain. Select Keychain Access) Above the login item in the top left corner should be your name or PIV_II or something similar (depending on your CAC).
Click ONCE on that listing (you cannot unlock your CAC card...nor do you need to) - if you can see a bunch of certificates, some with your name and some without, then you were successful. If not, go back and download a different enabler. Make sure that enabler works with your CAC and macOS version.
This has become one of the biggest hurdles for new users to get over.
Make sure you follow these instructions closely. If you have already installed the DoD Certificates and you are getting SSL or connection errors, please install the certificates again using these links and these instructions.
These DoD certificates are DIFFERENT than the certificates on your CAC. You need to have the right DoD certificates installed on your computer in order for your computer to talk to the DoD servers.
In order for the security handshake to work, your computer needs to have the DOD certificates installed so it can decrypt the messages sent from the DOD servers. It's pretty complicated stuff but the DOD servers encrypt information with their SECRET certificates and then your computer decrypts that information with the DOD PUBLIC certificates.
The DOD updates their certificates every now and then and you need to make sure that you have the most current certificates installed and trusted on your computer.
ONLY INSTALL DoD CERTIFICATES FROM MILITARYCAC.COM. ALL OTHER SOURCES DON'T HAVE THE RIGHT CERTIFICATES!!
Mac Users - Those instructions are here. Install all the certificates and follow the instructions for trusting those certificates.
PC Users - Those instructions are here. You are looking for the InstallRoot program. I download the .MSI version and then run it on the computer. It walks you through the correct steps.
If you are still having troubles after downloading the DOD certificates, install them again and make sure that they are all trusted.
Moving along now.
We need to download the CITRIX software to talk to the AVHE servers. Because the software is changing so often, I will direct you to the CITRIX site to download the latest software.
Click here to go to the CITRIX downloads page.
Once there, click on the "Select Product..." drop-down and select "CITRIX Workspace App" from the list. On the next page, select "Workspace App for Mac" or "Workspace App for PC" from the list.
Download the newest version of CITRIX Workspace App and install it.
Note: Previous versions of these instructions used CITRIX Receiver. This product is now dated and CITRIX has replaced it with the Workspace App. If you used Receiver in the past, download and use the Workspace App.
Apple has a safety feature called Gatekeeper. This program prevents you from installing potentially dangerous software. Basically, any software that is NOT sold directly from Apple is considered dangerous. In order to install certain programs (like the CAC reader software and CITRIX), you may need to disable Gatekeeper.
Go to this article from Apple to learn how to disable Gatekeeper or bypass it for one application. If you disable it, please re-enable it after installing CITRIX.
It's safer that way.
When the CITRIX Workspace App first runs, it will ask you to ADD AN ACCOUNT. Just close the program. There is no account to add and any e-mail you put in there is not going to work. You do not need to add an account so don't worry about trying.
You should be able to move to the next step now. OCCASIONALLY, some users have had problems getting CITRIX Receiver to work. If that is the case for you (and you have followed ALL of the steps above with no success), select "Legacy Client Software" from the Download Type and click Find. Download the "Online Plug-in..." file and install it. You should uninstall CITRIX Receiver first.
AVHE stands for Application Virtual Hosting Environment and is used to connect to clinical applications. This means AHLTA, CHCS, and Essentris.
This system uses the CITRIX Workspace App to run applications on your desktop.
You already installed CITRIX, right?
RIGHT?!
Okay...good.
You can connect to AVHE using this link: https://avhe.health.mil
Note: AVHE links used to be site specific. This is no longer the case. One URL for EVERYONE!
You will be presented with a drop-down asking you to select your CAC certificate.
Select your PIV certificate (DOD ID CA-XX; the numbers may be different for your CAC. That's okay.)
THIS STEP HAS CHANGED! We used to log in with the DOD E-MAIL certificate but now we use the DOD PIV certificate. Go figure.
Mac users will be presented with a dialog box asking for Keychain access. This is asking for your CAC PIN. Do not enter your computer password here. It is your 6-8 number CAC PIN.
PC users will be presented with a dialog box that looks like the one at work. Make sure you select your authentication certificate.
Next you will see the DOD Consent Banner. Click Accept.
If everything worked out, you should see a page with two shortcuts: AVHE Support and DHAGSC Remedy Phone number (This is the DHA Global Service Center (GSC) Helpdesk phone number).
My page has additional apps already added in.
This is your Favorites tab. You can see Favorites at the top middle of the page.
Next to Favorites is the Apps tab. Click on Apps to find your site-specific application shortcuts.
Type your MTF in the search box to filter the apps.
The site knows which AHLTA application to give you based on your MTF. The name may not match. For example, Langley users will see the Portsmouth AHLTA app when they type in Langley. That's because Langley AFB is on the same CHCS/AHLTA host as Portsmouth.
Click the Details button of the app you want to use.
Click the "Add to Favorites" button to add this app to your Favorites tab.
Click the Open button to launch the app.
Click around. Have fun. You have just successfully set up AVHE at home.
Some users will have the DHA desktop available to them. This will depend on whether your MTF is using the DHA desktop and whether you have signed up for a CDP account. If you used to use VMWare, you might have a DHA Desktop account.
If you see a DESKTOPS button at the top of your AVHE page, then you DO have access. Click that button and you'll go to the DHA Desktop page.
From there, click on the DHA Desktop - [YOUR MTF HERE]. I have not seen a difference between the Portsmouth 2016 and Portsmouth NAVMED options. I do NOT use the Portsmouth TEST desktop, though.
This Desktop will allow you to work on a desktop that looks just like your desktop at work. You can access all network applications (e.g. Synapse) and network shares (like your H: drive or any department/division drives). Since you're using regular Microsoft Outlook, you CAN send and receive encrypted e-mail.
Webmail allows you to read your Defense Enterprise E-mail (DEE) from home.
Mac Users - You cannot send/read encrypted e-mail or access your personal folders using webmail.
PC Users - You can read and send encrypted e-mail if you install the S/MIME extension. Unfortunately, I do not know how to do that. See Note 7-1 for more information.
Here is the link: https://web.mail.mil
Accept the DoD Consent Banner.
Use your DoD PIV certificate.
The rest is pretty straightforward.
There are a lot of things that can go wrong with the above process. Software will change frequently and the system can often get confused.
If you find that your system WAS working but now is NOT, think about anything that might have changed.
Did you:
Any one of these might change your system.
The first step is to troubleshoot your CAC/reader combination. Try logging on to DTS or MyPay. If you can get in there, your problem is with AVHE. If you can't get in there, then the problem is with your CAC/reader combination. Reinstall your CAC enabler to see if that fixes things. (DO NOT reinstall/install a CAC enabler if you are on macOS 10.15 Catalina or later)
Sometimes, your computer gets confused with which CAC certificate it should present to the server. The easiest way to fix this problem is to delete the keychain preference. You should do this if you notice that you are having trouble logging on when things were working before and you didn't change any of the above things.
Open Keychain
Find any reference to web.mail, web-mail, or AVHE. Click on those entries and delete them.
Go back to WebMail or AVHE and try logging in again.
Remember to use your DOD ID CA-XX certificate.
Some users report getting stuck on Google Chrome with a "Your connection is not private" error. It looks like this:
If you can get into myPay, DFAS, NKO, etc and you still get this error in Google Chrome follow these steps:
I hope you found this useful. If you have any comments or critiques, please send me an e-mail. I'm in the global.
Jacob Wessler
Lt Col, USAF
I'll keep a running list of version changes here so you can come back and see what has changed if you find you are having problems.
It's Catalina, not Cantalina...apparently! FIXED 5 errors.
New introduction with instructions for taking a screenshot
New Table of Contents
Refreshed CAC Enabler, CITRIX, and DoD Certificate sections
Google Chrome bug information added
Google Chrome bug screenshot added (Thanks MJD!!)
Updated Table of Contents
Clarified CITRIX Workspace app vs CITRIX Receiver
Added info on the DHA Desktop
Expanded Troubleshooting section
Fixed spelling errors and one more CAC tautology (CRIMENY!)
Version 2.1 Archive
Refresh of all instructions
Reduced information as the process is simpler now
Added info on macOS 10.15 Catalina and later
Added DOD Certificates in Troubleshooting
Version 2.0 Archive
Updated URL
Updated screenshots
Added screenshots for Favorites
Fixed all instances of the "CAC card" tautology (Ugh...)
Version 1.1 Archive
Website created
Version 1.0 Archive