Dynamic content highest classification up to UNCLASSIFIED//FOUO
Warning: This content may not be used as a source of derivative classification; Refer instead to the pertinent classification guide.

GVS Frequently Asked Questions (FAQ)


Contents


GEOAxIS FAQs

General

Q: What is GEOAxIS?

A: GEOAxIS is the NGA Enterprise Identity & Access Management (IdAM) mechanism. Access to GVS Services requires GEOAxIS authentication.


Q: What are valid forms of GEOAxIS authentication?

A: DoD issued CAC, Disadvantaged account username and password, Austere account username and password, Non-DoD issued PIV, ECA Certificate, and NPE Certificate.


Q: Where can I login to GEOAxIS on the network?

A: The GEOAxIS Authentication Page is located at the network URLs below:


Disadvantaged User

Q: What is a Disadvantaged User Account?

A: A Disadvantaged User Account is a username and password account for a person with CAC credentials who is unable to use their CAC. This user may not have access to a card reader, not have their CAC with them or their CAC no longer works. The Disadvantaged username and password allows access to your SBU account as well as access to GVS services.


Q: How do I obtain a Disadvantaged User Account?

A: Call the NGA Enterprise Service Center (ESC) at 1-800-455-0899 (Comm) or 578-5555 (TS-VoIP). When enabling a Disadvantaged account, please indicate to the ESC that a password is needed for your SBU account login.


Q: How do I login with a Disadvantaged User Account?

A: Navigate to the GEOAxIS Authentication Page, select the ''Disadvantaged User'' option, and login with username and password.


Austere User

Q: What is an Austere User Account?

A: An Austere User Account is for persons with no ability to obtain a CAC, but who have a mission need to access NIPR authenticated services. An NGA sponsor is needed to establish and maintain an Austere User Account.


Q: How do I obtain an Austere User Account?

A: Call the NGA Enterprise Service Center (ESC) at 1-800-455-0899 (Comm) or 578-5555 (TS-VoIP). An NGA sponsor is needed to request and maintain an Austere User account. (Note: GVS is unable to sponsor users for Austere Accounts; please work with your local NGA NST to identify a suitable sponsor).


Q: How do I login with a Disadvantaged User Account?

A: Navigate to the GEOAxIS Authentication Page, select the ''Austere User'' option, and login with username and password.


Personal Identity Verification (PIV) User

Q: What is a PIV User Account?

A: PIV (Personal Identity Verification) is a smart card used by non-DoD Federal employees and contractors for identification.


Q: How do I obtain a PIV Card?

A: Contact your sponsoring agency or company for information on obtaining a PIV Card. See also Trusted CAs and CRLs for a list of GEOAxIS supported agencies.


Q: How do I login with a Disadvantaged User Account?

A: Because there is no authoritative attribute source for PIV card users, these users will be required to register their PIV credentials with GEOAxIS in order to be allowed authentication access to a protected resource.

Navigate to the GEOAxIS Authentication Page, and select the ''PKI Certificate'' option. Select ''OK'' on DoD PIV certificate when prompted, and register your PIV (one time only) by filling in required information (first name, last name, organization, and email) and selecting ''Register Certificate''. Once the PIV has been registered, authentication is the same as PKI.


External Certification Authority (ECA) Certificate

Q: What is an ECA Certificate?

A: An External Certificate Authority (ECA) is a program to support the issuance of DoD-approved certificates to industry partners and other external entities and organizations.


Q: How do I obtain an ECA Certificate?

A: Information on obtaining ECA Certificates can be found at: https://public.cyber.mil/eca/. See also Trusted CAs and CRLs for a list of GEOAxIS supported agencies.


Q: How do I login with an ECA Certificate?

A: Because there is no authoritative attribute source for ECA certificate users, these users will be required to register their ECA credentials with GEOAxIS in order to be allowed authentication access to a protected resource.

Navigate to the GEOAxIS Authentication Page, and select the ''PKI Certificate'' option. Select ''OK'' on DoD ECA certificate when prompted, and register your ECA certificate (one time only) by filling in required information (first name, last name, organization, and email) and selecting ''Register Certificate''. Once the PIV has been registered, authentication is the same as PKI.


Non-Person Entity (NPE) Certificate

Q: What is an NPE Certificate?

A: An NPE (non-person entity) certificate is a PKI certificate assigned to an authorized device.


Q: How do I obtain an NPE Certificate?

A: Information on obtaining ECA Certificates can be found at: https://public.cyber.mil/eca/ or by calling the NGA PKI hotline: 571-557-5900.


Q: How do I register a NPE Certificate?

A: NPE Certificates must be registered prior to use. Registration must be performed on the network in which you are using the NPE. In order to request an NPE certificate, navigate to the self-service registration at https://geoaxis.nga.mil/portal/npe-registration.xhtml


Trusted Certification Authority (CA) and Certificate Revocation Lists (CRL)

LevelCA CRL
Department of State
0U.S. Department of State AD Root CAhttp://crls.pki.state.gov/crls/DoSADPKIRootCA.crl
1U.S. Department of State AD High Assurance CAhttp://crls.pki.state.gov/crls/DoSADPKIHACA.crl &
http://crls.pki.state.gov/crls/DoSADPKIHACAsha256.crl
1U.S. Department of State AD Root CAhttp://crls.pki.state.gov/crls/DoSADPKIRootCA.crl
Entrust SSP
0Entrust managed Services Root CAhttp://rootweb.managed.entrust.com/CRLs/EMSRootCA1.crl
1Entrust Managed Services SSP CAhttp://sspweb.managed.entrust.com/CRLs/EMSSSPCA1.crl
1HHS-FPKI-Intermediate-CA-E1http://hhspkicrl.managed.entrust.com/CRLs/HHSEntrustCA.crl &       
http://hhspkicrl.managed.entrust.com/CRLs/HHSEntrustCAc2.crl
ORC SSP
0ORC Root 2http://crl-server.orc.com/CRLs/ORCROOT2.crl
1ORC SSP 3http://crl-server.orc.com/CRLs/ORCSSP3.crl
Treasury Root / SSP
0US Treasury Root CAhttp://pki.treas.gov/US_Treasury_Root_CA.crl
1DHS CA4 [sha1]http://pki.dimc.dhs.gov/DHS_CA.crl
1DHS CA4 [sha256]http://pki.dimc.dhs.gov/DHS_CA1.crl
1Fiscal Service [46 ea ce a1]http://pki.treas.gov/FS_CA2.crl
1Fiscal Service [4a 61 d0 1a]http://pki.treas.gov/FS_CA4.crl
1Fiscal Service [sha256]http://pki.treas.gov/FS_CA.crl &
http://pki.treas.gov/FS_CA5.crl
1NASA Operational CA [44 3e a7 e9]http://pki.treas.gov/NASA_Operational_CA.crl
1NASA Operational CA [45 f9 4a b5]http://pki.treas.gov/NASA_Operational_CA1.crl &
http://hc.nasa.gov/combinedCRL1.crl
1NASA Operational CA [sha256]http://pki.treas.gov/NASA_Operational_CA2.crl
1OCIO CA [sha1]http://pki.treas.gov/OCIO_CA2.crl
1OCIO CA [sha256]http://pki.treas.gov/OCIO_CA.crl &
http://pki.treas.gov/OCIO_CA3.crl
1Social Security Administration CA [sha1]http://pki.treas.gov/SSA_CA.crl
1Social Security Administration CA [sha256]http://pki.treas.gov/SSA_CA1.crl
1US Treasury Public CA [sha1]
1US Treasury Public CA [sha256]http://pki.treas.gov/public_ca.crl

Common Access Errors

GVS Supported Browsers and Clients

Q: What browser and client versions are supported by GVS?

A: Review GVS Supported Browsers and Clients for a current list of supported versions.


Setting Up Authentication for Firefox

Q: How do you set up authentication in Firefox?

A: If you do not get prompted for CAC/PKI authentication when using Firefox to access the GVS Homepage, you can install the DoD Firefox Add-on or manually add your card reader to Firefox.


Internet Explorer Cross-Certificate Resolution

Q: What happens if I get a "This page cannot be displayed" condition in Internet Explorer for a GEOAxIS protected page?

A: If you believe you have received a "This page cannot be displayed" error when accessing a GEOAxIS protected page in IE, first go to the GEOAxIS Portal page (https://geoaxis.nga.mil) in both IE and Firefox. If you are able to get to the proper page in Firefox, your Internet Explorer will need to complete the following steps.


Indication:

Resolution


Using Google Earth

Q: What version of Google Earth should I use on SBU to access GVS Services?

A: NGA users working on SBU thin client workstations may find different versions of Google Earth installed. Users will need to launch Google Earth v7.0.3 since the GVS Google Earth Globe is only compatible with this specific version.


Q: Why can't I access the GVS Google Earth Globe as a first time user?

A: When accessing the GVS Google Earth Globe for the first time, some NGA users need to sign-out of the Google Globe and sign back in using the new GVS Google Earth Globe URL.


Q: What do I do if I am not able to login to another globe?

A: Sometimes users can become ''stuck'' to one globe when using GE. You will need to test and adjust the default Globe.


Q: How do I connect to multiple globes at the same time in Google Earth?

A: To connect to another globe at the same time in Google Earth you will use the ''Add Database'' feature


Q: Why do web pages not work in Google Earth?

A: The internal Google Earth browser has issues processing HTML. In Google Earth, please go to Tools -> Options -> General (tab) and select "Show web results in external browser".


GEOAxIS Maximum Number of Login Attempts Error or Oracle Account Disabled Error

If accessing the GVS Homepage (https://home.gvs.nga.mil/home) you receive a GEOAxIS error message stating "Login Failed: Maximum Number of Login Attempts" or an Oracle error message stating your Oracle account has been disabled, you must clear your browser SSL Certificates and Cache.


GEOAxIS Certificate-Based Authentication Failed Error

Some users are being denied access to GVS and Intelink services because of a CAC authentication error. DISA has released the FBCA Cross-Certificate Removal Tool (CCRT) to fix this issue.

If accessing the GVS Homepage you receive a GEOAxIS error message stating "Certificate-based authentication failed" error message, download and run the CCRT tool.

After downloading the .zip file, extra the contents and click on the .exe file to run


GEOAxIS 3rd-party Cookies Error

Internet Explorer is configured by default to block 3rd-party cookies. This causes problems when external (non-NGA) users attempt to authenticate through GEOAxIS.

External users may also alternatively use supported versions of the Firefox or Chrome browsers, which are configured by default to allow 3rd party cookies and are not affected by this issue.