AKO Webmail Browser Troubleshooting

On 23 June 2010, AKO converted to using only NIST/ NIAP-approved Secure Sockets Layer (SSL) encryption. To ensure access to the Portal, it may be necessary to change individual browser settings. Specifically:

Only Internet Explorer 6 (or higher) and Mozilla Firefox browsers support the higher level of protection.

Browsers must be configured to support TLS 1.0.

  • For Internet Explorer 6 (or higher), go to: Tools > Internet Options> Advanced Tab, scroll down to the Security section and ensure that the Use TLS 1.0 option is checked, then click OK. If this option is not available, please ensure you install the latest updates for Microsoft Internet Explorer.
  • In Firefox, go to: Tools > Options > Advanced > Encryption and ensure that the Use TLS 1.0 box is checked, then click OK.

Local systems administrators need to verify that their browsers can support one of the following ciphers: AES 128, AES 256 or 3DES.

Q: How can I fix this?
A: We recommend you update your browser with all recommended patches.

The “Page Cannot be displayed” error is a Microsoft Internet Explorer error.

The “Server not found” error is a Mozilla Firefox error.

Use the following decision tree to troubleshoot your issue:

1. Check your browser and version, for FIPS (Federal Information Processing Standard) compliancy*.

a. Click on the double arrow or ‘Help’ on the browser tool bar, then click ‘About Internet Explorer’. If you are on IE6, IE7, or IE8, you may need to update your browser settings:

i. For Internet IE6 or IE7, go to: Tools > Internet Options > Advanced Tab, scroll down to the Security section and ensure the Use TLS 1.0 option is checked, then click OK. If this option is not available, please ensure you install the latest updates for Microsoft Internet Explorer. Also ensure SSL 3.0 is checked, and SSL 2.0 is NOT checked.

ii. For IE 8 on Windows 7, make sure TLS 1.1 and TLS 1.2 are UNCHECKED.

iii. In Firefox, go to: Tools > Options > Advanced > Encryption and ensure the Use TLS 1.0 box is checked, then click OK.

2. Can you get to any external website that is non-military related (i.e. Google, Yahoo)?

a. If NO, you are probably having an issue with your local internet and will need to troubleshoot further with your ISP.

b. If YES, continue to the next step.

3. Are you on a personal computer/laptop?

a. If YES, contact your ISP. The ISP can attempt access to https://www.us.army.mil . If the ISP is having an issue then they will need to troubleshoot on their end. You can also go to the Microsoft support page: https://support.microsoft.com and search for the exact error you are receiving.

b. If NO, contact your local DOIM or network administrator to attempt access to https://www.us.army.mil.

4. Does your internet facing (also called external facing) IP address end in a .0 or .255? An internet facing IP address that ends in a .0 or .255 is blocked by the Army/DoD firewall due to the ability to easily spoof the IP address.

a. Go to http://www.whatismyip.com to make sure your IP address does not end in .0 or .255

b. If the address ends in at .0 or .255, you will need to contact your local ISP (Internet Service Provider), DOIM, IMO or Local Administrator to be leased a new IP address.

5. Are you able to get to get to army military websites? (i.e. https://www.hrc.army.mil, https://www.lms.army.mil//)

a. If NO, you are probably being blocked on an Army Wide level. Contact your ISP and ask them to confirm the block. If confirmed, ask the ISP to lease you a new ISP address.

b. If YES, continue to the next step.

6. Clear the cache and verify all security settings. Please use the following links:

a. ‘Clear Cache’: #152

b. ‘Internet Explorer (IE) Security Settings’: #151

8. Is your browser being redirected by add-ons or infected with spyware that is preventing you from getting to certain websites? In order to rule this out, try these steps:

a. To rule out add-ons: Start IE without Add-Ons: Start Menu à All Programs à Accessories à System Tools à Internet Explorer (Without Add-Ons)

b. To rule out spyware: Try an alternate browse

Q: Why are these changes being made?
A: Army Reg 25-2, Sec 6-1B requires that all Unclassified and Sensitive Information systems use NIST/NIAP-approved SSL. AKO/DKO is making changes to support this requirement.

Q: How do I know if I need to make these changes?
A: If you use Microsoft Internet Explorer 6 or higher go to: Tools > Internet Options> Advanced Tab, scroll down to the Security section. If the “Use TLS 1.0” option is checked, you do not need to do anything. If it is not, check it and click OK.
If you use Mozilla Firefox, go to: Tools > Options > Advanced > Encryption. If the “Use TLS 1.0” box is checked, you do not need to do anything. If it is not, check it and click OK.

Q: What do I need to do to make my browsers compliant?
A: If you use Microsoft Internet Explorer 6 or higher , verify it is configured correctly. To do that, go to: Tools > Internet Options> Advanced Tab, scroll down to the Security section and ensure that the “Use TLS 1.0” option is checked, then click OK. If this option is not available, please ensure you have the latest updates for Microsoft Internet Explorer and then try again.

If you use Mozilla Firefox, go to: Tools > Options > Advanced > Encryption and ensure that the “Use TLS 1.0” box is checked, then click OK.

Q: What happens if I don’t make these changes?
A: You will not be able to access AKO or any of its related services (e.g., IM, Webmail, files).

Q: What is SSL?
A: SSL, which stands for Secure Sockets Layer, is a commonly used method for managing the security of a message transmission on the Internet.

Q: What about non-Web browser services like IMAP/POP?
A: All AKO/DKO Services like Portal, Webmail, and IM as well as e-mail based services like IMAP and POP will use only NIST/NIAP-approved SSL algorithms. Check your application’s vendor documentation to ensure it is capable of using NIST/NIAP-approved cryptographic algorithms.

More information about AKO Webmail Troubleshooting at akoarmymil.com/army-knowledge-online-ako/