CAC 123: NGA Employee CAC Resources

Three easy steps to getting online

Step 1

Setting Up Your CAC Reader

This guide covers Microsoft Internet Explorer and Google Chrome. Other browsers might not be compatible with the built in Windows middleware.

Instructions for Windows

Instructions for Apple

Instructions for Chromebook

Have You Been Migrated to PIV?

You should have received a notification email stating that you were being migrated to the 16 digit PIV certificate. This means you have to select the PIV certificate for all things SBU instead of the email certificate or 10 digit ID certificate. The following will help you determine which certificate is the PIV.

Identifying the PIV Cert on Windows

Identifying the PIV Cert on a Mac

Step 2

Testing Your CAC Reader

Once you have your SmartCard Reader configured, now you can test it. Remote login into protected resources will require your Common Access Card (CAC). Insert your CAC into the reader and test against these useful NGA resources. If you have been migrated to PIV make sure to select the PIV cert.

Note regarding NGA | Intelshare: Ignore the email cert recommendation if you are a PIV user

Step 3

Accessing SBU with your CAC Reader

After successfully accessing CAC-enabled resources you can use that same process to remote login into your desktop. You will have access to your desktop just like being at work. Follow the instructions below to remote access into your desktop while teleworking. If you have been migrated to PIV make sure to select the PIV certificate.

Instructions for Windows

Instructions for Apple

Instructions for Chromebook

Instructions for Updating Citrix Workspace

Install Root / Downloading PKI/PKE Certificates

In order to log in remotely using your CAC, you must have Public Key Infrastructure/Enabling (PKI/PKE) certificates installed on your computer. This guide will show you how to download and install these certificates.

Instructions for Downloading

Installing Citrix Workspace

Citrix Workspace is a cloud-based user interface that allows users to access applications, desktops and content from anywhere through a single sign-on. It was designed to ensure all products look the same, work well together and provide a seamless experience despite the platform, device or user location. Click below for instructions on installing Citrix.

Instructions for Installing

Card Reader Troubleshooting

Users will commonly be routed to a page requesting their Username/Password/RSA token when navigating to the mydesktop.nga.mil sites. Click below if you are having issues with your card reader.

Instructions for Card Readers

CAC Leap

To authenticate with your CAC remotely, it must first be affiliated with your User account in the Active Directory. This is typically an automated process via the Universal Login Reader Tool (ULRT), when logging into physical SBU terminal. If you are unable to visit a location with an SBU terminal, use the instructions below to affiliate your CAC with your account.

Instructions for Connecting Your CAC

Frequently Asked Questions

What are the minimum requirements to access the Sensitive but Unclassified (SBU) network remotely?

To access SBU, users must authenticate and maintain:

A valid, unexpired common access card (CAC)
A functional and approved card reader that recognizes their CAC
The latest Department of Defense (DoD) root certificates
The latest version of Citrix Workspace for the operating system (OS) of their personal device
The .ICA filetype associated with the required software in the OS

Note: The Remote Access team cannot assist users unless these prerequisites have been met. Remote Access support is limited. Therefore, its team members have no purview or insight over personal device configurations and/or local network settings.

What is the LEAP process?

To authenticate with your CAC, it must first be affiliated with your User account in Active Directory. This is typically an automated process via the Universal Login Reader Tool (ULRT), when logging into physical SBU terminal.

Note: If you are unable to visit a location with an SBU terminal to complete this process, utilize the “CAC LEAP” instructions

When might I be required to LEAP my CAC?

New employee that has not authenticated to SBU with issued CAC
Issued a new CAC due to change of employee type (gov or contractor) or issued by a different agency

Note: If you are able to authenticate successfully at an SBU terminal on-site, your CAC is likely associated with your account

How can I find my PIV information?

Your PIV number should be 16 digits long. This includes a DODID number followed by 6 digits. Please reference the “CAC LEAP” documentation to obtain the PIV information from your CAC. If you cannot locate your PIV information, refer to your local certificates store.

How can I tell if my CAC certificates are expired?

Check the expiration date on your physical CAC
Navigate to the Control Panel > Internet Options > “Content” Tab > Certificates
Validate the expiration date of your certificates

What are the approved smart card readers?

SCM SCR3310v2
Belkin F1DN005U

Note: The NGA PITD office currently issues the Belkin F1DN005U.

How do I request or replace a card reader?

To request or replace (NGA-issued) card readers, please contact the ESC to submit a request to the PITD Office.

How do I know if my card reader is functional, and how can I troubleshoot issues with it?

If you aren’t prompted for a CAC pin when accessing a mydesktop site, this typically means your CAC isn’t being recognized by the card reader. This issue can be related to the card reader or the operating system.
Users will often be routed to a page requesting their Username/Password/RSA token. Additionally, users may experience errors when attempting to access other public key infrastructure (PKI) protected resources that are not managed by Remote Access such as RocketChat . For more information, please refer to the “Card Reader Troubleshooting” documentation.

What additional software will I need to install on my personal device?

You will need to install and maintain:

The most recent version of Citrix Workspace (applicable to your OS) from the Citrix website
The most recent version of InstallRoot from the DoD Cyber Exchange Public website or militarycac.com

Why do I need Citrix Workspace?

Citrix Workspace is the client-side software that allows you to interact with the virtual desktop infrastructure (VDI) desktop. It is required to open the .ICA file that is downloaded when you launch your assigned desktop from StoreFront.

How do I install Citrix Workspace?

Please see the “Citrix Workspace Client” documentation for installation steps.

Note: If you have Citrix Receiver installed, you must uninstall it prior to installing Citrix Workspace.

How do I check my Citrix Workspace version and/or if I have Citrix Workspace installed?

Navigate to Control Panel > Programs and Features
Applications are listed alphabetically, either “Citrix Workspace” or “Citrix Receiver” (deprecated) will appear
The latest versions can be found at: https://www.citrix.com/downloads/workspace-app

I?ve installed Citrix Workspace, why won?t my VDI desktop launch after I click on it?

When you click the desktop at Citrix StoreFront, an .ica file is downloaded. You may either notice this in your browser downloads or toward the bottoms of the browser window. Depending on your browser configuration, this file may not open automatically. Be sure to validate that .ica files have a default app associated with “Citrix Connection Manager” in your OS. Please reference the “Citrix Workspace Client” document for assistance with these configurations.

Why do I need InstallRoot?

InstallRoot automates the installation of DoD certificates on your personal device, and establishes the necessary certificate chain of trust so you can reach the mydesktop sites.

How do I install InstallRoot?

Please reference the “InstallRoot” documentation. Install Root 5.5 can be found at: https://public.cyber.mil/pki-pke/tools-configuration-files/ or : https://militarycac.com/dodcerts.htm

Why can?t I install or uninstall the required software?

Please reference vendor documentation for your OS.

Note: If you are utilizing a company-issued device, you may require administrative privileges. Please consult your company IT support.

What are the URLs to access my VDI Desktop?

Main: https://mydesktop.nga.mil/
St. Louis: https://mydesktopwest.nga.mil/

My Desktop Viewer window closed and I?m unable to reconnect to my session, what should I do?

Call the ESC to validate that your account isn’t locked out or that you have a hung session.

Why am I being prompted for my Username/Password/RSA token when accessing mydesktop?

Your CAC isn’t being recognized by the card reader. Please refer to the “Card Reader Troubleshooting” documentation for additional assistance.

Why am I unable to connect to my VDI desktop on my home network, but able to connect via mobile hotspot or external networks (e.g., Starbucks Wi-Fi)?

Please consult your Internet Service Provider.

Points of Contact for Support

Workforce Support Center – East 571-557-1111 | WorkforceSupportCenterEast@nga.mil
Workforce Support Center – West 314-676-9151 | WorkForceSupportCtrW@nga.mil

Need Assistance?

If you are having trouble with these steps, please contact the Enterprise Service Center.