Information Technology at JPL

Directory and Authentication Service

JPL IT - Directory and Authentication Service

Mandatory Smartcard

General FAQs

  1. What if I lost/forgot my badge once passwords are disabled for system login?

    Forgotten Badge: Visit the Badging Kiosk (Visitor Center) or any Officer Station to obtain a temporary paper badge. Once a temporary badge has been issued, any systems registered in your name are set back to password login until 10 a.m. (PT) the following day. No further action is required. Temporary exemptions may also be requested by calling the JPL Service Desk or via the JPLIT Portal's Exemption/Waiver Request Form (this form is available externally).

    Lost/Damaged/Awaiting Badge Issuance: The Badging Office will update the status of your badge and any systems in your name will be set to password login for up to 60 business days.

    Note: Once issued, Exemptions and Waivers do require a system restart in order to login with your password and may require assistance from the JPL Service Desk.

  2. What is my smartcard PIN and what do I do if I forgot my PIN?

    It's the 6 to 8 digit number that you set when you picked up your badge from the Badging Office. PIN resets are done at the PSD Badging Office by appointment. Please call 4-5050 or schedule online via the Badge Scheduler link available in your EBIS JPL Employee Toolkit.

  3. Can I change my PIN and does it expire?

    PINs do not expire, but they can be changed. PIN resets are done at the PSD Badging Office by appointment. Please call 4-5050 or schedule online via the Badge Scheduler link available in your EBIS JPL Employee Toolkit.

  4. What if I do not have a smartcard badge?

    Only users who have been issued a Smartcard Badge by the Badging Office will be required to use smartcards for system login. Those with no Smartcard will continue to use their JPL username/password for login.

  5. Do I need to leave my badge in the smartcard reader the entire time I'm using my system?

    No, you can remove your badge after you log in.

  6. Can I still log in to multiple systems concurrently?

    Yes, once logged in to a given machine you can remove your badge and re-use it to log in to other machines.

  7. Do I still need to maintain my JPL Username and Password?

    Yes, it is still required to access a number of applications and systems, as well as serving as a backup authentication method if you forget or lose your badge.

  8. Does my Smartcard expire? What about the credentials?

    Your JPL Badge that the credentials reside on expire every 5 years. The Badging Office will contact you when it is time to renew.
    The certificates on the chip that make it a Smartcard need to be renewed every 3 years. You will see a pop-up saying "Smartcard Badge Update Available". Clicking on the pop-up will initiate the renewal.

  9. Will I still need to use my smartcard to login to NASA web applications that require it?

    For the time being you will need to login to NASA web applications separately because our domains are not federated.

  10. How can I view and manage the certificates on my system?

    If someone else has logged into your system, residual certificates in their name maybe left behind.

    • Use Windows search to find 'certmgr.msc'
    • Under the 'Personal' folder you can view your Certificates
    • Under the 'Action' menu option, select 'Delete' to remove unneeded certs (e.g., for other users that shared the computer)
  11. Why am I asked for a password after logging in with my PIN?

    Applications such as WiFi, Outlook and Jabber that may be set to auto-login may now need to be logged into separately.

  12. How can I apply for a exemption or waiver?

    See the section below, "Exemptions and Waivers.

  13. What is the policy regarding taking your Smartcard Badge on foreign travel?

    There is no formal policy for traveling with your smartcard, but travelers should consider the destination and purpose of travel. Once passwords are disabled for system login, users should consider obtaining loaners or contacting 4-HELP to temporarily set login to JPL username/password during travel. Users

  14. Do I need a reader when connecting to the JPL network from my personal home computer?

    No, you do not need a reader if you are just connecting to the JPL network. However, if you use remote desktop to log into your subscribed system at work, you will need to have a reader and your smartcard.

  15. Do I need to use smartcard login for Parallels on a Mac?

    You can use smartcard login for Parallels, but is is not required at this time.

General Troubleshooting

  1. Inserting my smartcard has no effect.

    Remove the smartcard and re-insert it. You may need to wait for the green light to stop flashing.

  2. The system could not log you on. The domain specified is not available. Please try again later.

    The first time you login with your smartcard you need to be on the JPL Network. If you are using JPL WiFi or are remote, first login to WiFi or VPN with your JPL Password or RSA Token, respectively. Lock the system, the hit any key to unlock. Click on "Sign-in options" located under the Password field and click on the square icon (smartcard). The Password field should change to "PIN".
    Once you've logged in on the JPL network, your credentials should be cached to enable future login off network.

  3. The requested key container does not exist on the smart card.

    This is typically a driver error seen when the reader is detached then re-attached after start-up. You will generally need to reboot to get them back in sync. As a best practice, have the reader inserted before starting up or unlocking your system.

  4. Signing in with a smart card is not supported by your account. For more info, contact your administrator.
    • Once you enter your PIN, your credentials have to be sync'd with the Active Directory and that can take up to 30 seconds. Wait 30 seconds and try again. If that doesn't work, here a few other things you can try:
      • Try a different reader or try locking/unlocking your screen.
      • If all else fails, reboot your system to clear everything and start over.
  5. The system could not log you on. An incorrect PIN was presented to the smartcard.

    1. If you are using the number keypad, verify that the "NUM LOCK" key is ON.
    2. Verify that "Caps Lock" is OFF.
    3. Check that you're using the correct PIN. It should be 6-8 digits.

  6. The system could not log you on. The smartcard is blocked.

    You have been locked out due to entering an incorrect PIN 15 times. Contact the PSD Badging Office (4-5050) to schedule an appointment to reset your PIN.

  7. The system could not log you on. The smartcard certificate used for authentication has expired.

    Contact the PSD Badging Office to have an updated certificate loaded onto your smartcard. For an appointment, call 4-5050 or schedule online via the Badge Scheduler link available in your EBIS JPL Employee Toolkit.

  8. The system could not log you on. The revocation status of the smartcard certificate used for authentication could not be determined.

    Contact the JPL Service Desk (4-HELP).

  9. You cannot use a smartcard to log on because the smartcard login is not supported for your user account.

    This is likely due to a delay in syncing with the Active Directory when the card is inserted. Please wait 30 seconds and try again.

  10. Context was acquired as silent.

    This error results from no PIN being entered at login. Often the Caps Lock or Num Lock key is in effect, and the PIN is not being recorded as you type it. Check those and retry.

Exemptions (short-term) and Waivers (long-term)

  1. What systems qualify for a temporary exemption from Mandatory Smartcard Authentication?

    Temporary exemptions are granted for a few different reasons, primarily for cases where the user has forgotten their smartcard badge (until 10 a.m. PT the following day) or lost/damaged their smartcard badge (up to 60 days). Systems may also be exempted up to 10 days for travel or for cases when smartcard login is not working and help is needed from a Field Tech.

  2. How do I request a temporary exemption?

    1. Temporary exemptions may be requested via the JPLIT Catalog, however, if you forget your badge and obtain a temporary badge from the Visitor Center kiosk or any Officer Station, any systems registered in your name are set back to password login until 10 a.m. (PT) the following day. No further action is required.
    2. You may also request an exemption by calling 4-HELP.

    Note: If your workstation is on the network, you will need to restart your system to apply the update and then be able to select a password for sign-in. If off-network, you will need to call 4-HELP to get password access reset.

  3. What systems qualify for a long-term waiver (with annual review)?

    Waivers are only permitted with approval by Cybersecurity Management and for limited situations. A waiver may be approved for shared systems, including clean rooms, laboratory, training and kiosk systems. Waivers are also provided when a user does not qualify for a smartcard badge.

  4. How do I request a waiver?

    1. Submit a request for your system or on behalf of another user via the JPL IT Catalog.
    2. An approval request will be routed through Cybersecurity Management.
    3. If the request is approved and your workstation is on the network, you will need to restart your system to apply the update, and then be able to select password for sign-in. If off-network, you will need to call 4-HELP to get password access reset.
    4. If the request is denied, your Section or Division Manager will need to contact Cybersecurity to pursue the request further. A link will be provided in the denied request email.

Macintosh FAQs

  1. I am a full-time remote user. How do I get started?

    Log into your computer with your JPL username/password, then log in to VPN to get onto the JPL Network.

  2. Why does a pop-up reminder to remove my smartcard from the reader come up after I removed my smartcard?
  3. I am seeing a periodic message after login to enter my Keychain password. Is there a problem?

    Users are occasionally seeing this message, but not consistently. For now, enter your keychain password when prompted.

  4. I used to be able to login with just my FileVault password, but now I'm seeing the Apple username and password login screen after. Why is that?

    In order to utilize smartcards, the password pass-through feature (some users used to log on directly from FileVault) had to be disabled. Once your smartcard is paired, simply insert the card, wait for the prompt to change to PIN and enter your smartcard PIN.

Macintosh Troubleshooting

  1. A smartcard pairing dialog box did not apper when I inserted my smartcard in the reader.

    Make sure the reader is plugged into the system rather than an adapter or docking station. The closer the USB reader is to the system, the less problematic.

  2. When I typed in my User Name and Password for pairing, it failed despite the correct data. The message "Enter an administrator's name and password to allow this." displayed.

    You may not have Admin privileges on the system. Contact 4-HELP (4-4357) for assistance.

Windows FAQs

  1. Why does my laptop bypass smartcard login after the FDE passphrase screen?

    Some machines cache passwords with FDE PGP login as long as smartcard login is not mandatory. To test your smartcard, simply lock your computer to see the smartcard login option.

  2. I am unable to log in with my smartcard after a password change.

    After doing a password change, right-click on the Windows icon and sign out, then back in with password to synchronize your password change.

  3. After I authenticate and remove my badge I sometimes see a pop-up saying, "Windows needs your credentials". Why does this happen and what should I do?

    That is a residual Windows message that you can ignore. No action is required.

  4. Why don't I see smartcard listed as an authentication method?

    If you click Switch User and you still do not see smartcard as an option, it may mean that the computer system is not recognizing your smartcard reader. If the computer does not "see" a smartcard reader it will not offer the smartcard login option.

    If you are on a Windows 7 machine you may need to log off and back on again after you plug in your smartcard reader in order to get the option to select a smartcard for login.

    If you have an external smartcard reader that is connected to a USB port, make sure that it is plugged in securely.

    If you are using a smartcard reader for the first time, or if your computer operating system has been reloaded or restored, it is possible that the drivers for the smartcard reader device are not installed or not configured properly.

    If you are unable to resolve the issue, contact the JPL Service Desk (4-HELP).

  5. Sometimes when I login, I see the following: [Your Name] (Affiliate) with [username]@ndc.nasa.gov - What does this mean?

    That is just a reflection of the fact that your Smartcard credentials are issued by NASA, where JPLers are considered affiliates on their network (ndc.nasa.gov).

  6. Does smartcard login affect access to my Linux system when accessing virtual Windows systems?

    No, rollout is based on the workstation OS and not on VMs at this time.

  7. I got a pop-up referencing 'My Digital ID Card' asking me to accept an update. What should I do?

    My Digital ID Card is the certificate update service for smartcards. Accepting this will allow you to renew your certs without visting the badging office.

Windows Troubleshooting

  1. No valid certificates were found on this smartcard. Please try another smartcard or contact your administrator.
    Once you enter your PIN, your credentials have to be sync'd with the Active Directory and that can take up to 30 seconds. Wait 30 seconds and try again. If that doesn't work, here a few other things you can try:
    • Uninstall and reinstall the ActivClient (in Software Center). If needed, call 4-HELP for assistance.
    • Try a different reader or try locking/unlocking your screen.
    • If all else fails, reboot your system to clear everything and start over.
  2. Windows log-in Failure - certificate used could not be trusted.

    Contact the JPL Service Desk (4-HELP).

https://dir.jpl.nasa.gov/pivfaq.php