Accessing DoD Resources
Most DoD sites and services requires PKI credentials (e.g. Common Access Card) for access. If the user is coming from a deployed system within Arcus, they have several options for presenting their PKI credentials.
Option 1 - Use the “CAC Passthrough” feature
This feature allows users to access their local CAC reader from their remote desktop.
- Advantages: Allows users to use existing CAC
- Limitations: Less seamless process than the browser based access; users must be allowed to use RDP client on their local machine; limited to Windows systems on the local and remote side
Please see this KB Article for more details on using this feature.
Option 2 - Use ECA certs
Users can install their software based External Certificate Authority (ECA) certificate on their remote machine. A reminder that ECAs are NOT to be shared. Users must take proper steps to secure their ECA.
- Advantages: Simple, browser based access from local machine; ability to access from almost any machine
- Limitations: There is a cost to acquire an ECA; Government civilians and military personnel don’t use ECAs
Option 3 - Use DoD AltToken
The DoD has tightened the policy and STIGs to require PKI based authentication on pretty much everything, at every layer. However, they realized that physical CACs are a limitation in an actual multilayered cloud world. As a result they have revisited and allowed the issuing of AltTokens, aka soft cert versions of your CAC. They behave like ECA soft certs but are tied to your DoD (CAC) identity.
- Advantages: No cost; simple, browser based access; ability to access from almost any machine
- Limitations: Requesting an AltToken is a process that requires paperwork and patience