Do you log on to the Air Force network to do your job? If so, Smart Card Logon/Next Generation (SCL/NG) will have a direct impact on you the first time you log on during Smart Card Logon/Next Generation implementation. SCL/NG took affect with the release of the Air Force Standard Desk Configuration 3.3 on Sept. 12. SCL/NG is evolving technology that will empower most Air Force network users with the ability to log on to multiple unclassified Air Force network accounts with a single Common Access Card.
Smart cards, including Common Access Cards (CAC) and alternative tokens (representations seen above), contain Public Key Infrastructure (PKI) certificates used to log on to Air Force networks. The current way we log on to the network, however, has some limitations. Network users with multiple unclassified accounts and permissions have been forced to use different smart cards for each account. Some examples of network users who may have multiple unclassified accounts/permissions include: network administrators, customer support technicians, help desk personnel and Air Force medical staff.
Smart Card Logon/Next Generation specifically provides increased convenience and security for the network user groups previously identified. However, for those individuals with multiple DoD affiliations (i.e., active duty, Reserves, National Guard, civilian, and contractor), who have been issued multiple CACs, SCL/NG will NOT combine your multiple CAC roles, but will affect your logon experience for each CAC.
SCL/NG will arrive at your Air Force desktop in two phases -- one has already begun. You will notice a subtle but important difference on the screen when inserting your CAC to logon. Specifically, you will see additional certificates, represented by icons you are able to select for logon. We are accustomed to loggingg on to the Air Force network with our DoD email signature certificate. For most, your usual logon screen looks like the image below.
During Phase I of SCL/NG implementation, you will begin to see two PKI certificates displayed logging on for the first time to your Air Force. One is the DoD email signing certificate, and the other is the DoD identity certificate (pictured below). Select the Email Signature Certificate, displayed on the left, to successfully log on to your workstation.
How can you tell the difference between the two certificates? You may notice from the above image that both certificate icons appear identical. Select the certificate on the left, and you will be prompted for your CAC Personal Identification Number (PIN). If your User Primary Name (UPN), circled in red (pictured below), is a 10-digit number followed by "@mil," you have successfully selected your email signing certificate. If you see something different, click Switch User to go back and select the email signing certificate. If you choose the wrong certificate you'll get an error--just go back and select the other certificate.
For those currently using alternate tokens, like system administrators, an additional certificate is available on your CAC called the Personal Identity Verification (PIV) authority certificate. The PIV authority certificate will function like your alternative token, enabling access to your individual alternate account. You can easily activate the PIV authority certificate on your CAC by using a tool called the User Maintenance Portal/Post Issuance Portal (UMP/PIP). For additional guidance visit: https://www.dmdc.osd.mil/ump/support/usermanual.pdf or contact your Hill AFB alternate token trusted agent in the Hill PKI office. Action is only required if you have an Alt Token.
Once you have activated your PIV authority certificate, your logon screen will display three certificates: the email signing certificate, PIV authorization certificate, and DoD identity certificate. The PIV authority certificate is displayed in the center (pictured below). To verify, select the center certificate icon displayed during logon. If the UPN is a 16-digit number followed by "@mil," you have found the PIV authority certificate to log on to your individual alternate account. Once you have activated your PIV authority certificate, turn your alternative token in to Hill PKI personnel.
You may be asking why is the Air Force going to Smart Card Logon/Next Generation The new smart card provides significant benefits to network users and the Air Force. It will result in cost/manpower savings, increased convenience for alternative token users and reduced security scenarios of lost or compromised alternative tokens.
For additional details, visit the Air Force PKI SPO web site: https://afpki.lackland.af.mil/html/sclogon.cfm.