Versions Compared

Version Old Version 73 New Version 74
Changes made by

Andrea Reynolds

Andrea Reynolds

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Prerequisites

  • The end user will need to have their c- account already created by an IT admin and be in the correct initialization state.

  • The end user of the c- account and Smartcard/YubiKey should be the one performing these the setup steps.
    • Exception is made for non-ITS Staff, faculty, and/or vendors.

  • YubiKeys get 10 attempts at logging in before it automatically locks. Afterwards it can be reset by contacting ADTT@syr.edu

  • Best practice is to log out of anything using your c- account beforehand if you previously were issued a Smartcard/YubiKey

Table of Contents

Table of Contents
maxLevel2


Info

It is important to keep your YubiKey or Smartcard secure and prevent unauthorized access. Do not share your PIN or allow anyone else to use your YubiKey or Smartcard. If you suspect that your YubiKey or Smartcard has been lost, stolen, or compromised in any way, contact IT support immediately.


Warning

Be aware that YubiKeys have a limit of 10 attempts for entering a PIN before they automatically lock. If your YubiKey locks, you will need to contact ADTT@syr.edu to have it reset. To avoid this issue, make sure to enter your PIN carefully and avoid entering an incorrect PIN multiple times.

Steps to setup a Smartcard / YubiKey


Steps for setting up

Using a AD managed Windows computer:

  1. Use RDP (Remote Desktop Connection) to connect to the server smartcard.syr.edu

  2. When prompted for Logon, 
    1. If you are RENEWING YOUR YubiKey: use your current YubiKey and current PIN to log onto the server.
    2. If you are SETTING UP A YubiKey: You received an email from "Smart Card Manager" with a username and password. 
      1. After opening RDP, select "More choices" and log in as a different account. Use the username: c-netid (example: c-testuser or AD\c-testuser) and the password from the email.

  3. On the desktop of the server find the "Setup Smartcard" icon in the upper left and double click on it.
    A command prompt will open,A PowerShell window will launch and the program will begin.
    1. If not already inserted, plug the YubiKey into a USB port on the computer.

  4. The process is now underway and can take a few moments.
    A new window will appear. Press "More Choices". Select the YubiKey option (looks like a small credit card icon) from the list if not already selected.If the window appears and there is no option for a YubiKey and PIN, but rather it asks for a smartcard to be connected; be sure the smartcard is inserted correctly into the USB drive and also that the RDP session allows smart card passthrough. To turn on smart card passthrough, close out of the Smartcard Setup window and logout of smartcard.syr.edu. Open RDP, go to Show Options/Local Resources/More... and make sure "Smart Card" is checked.

  5. Enter the default PIN of the card.When prompted for a PIN: 
    1. If you are RENEWING YOUR YubiKey: use the PIN that you have set on the smartcard.your current PIN
    2. If you are SETTING UP A YubiKey: use the default PIN 123456

  6. You

    Shortly after, you will be prompted

    again for

    to reenter the

    SAME PIN a few moments later for

    same PIN in order to add the root certificate

    to be added so the YubiKey is more versatile. 
     After

    , enhancing the versatility of your YubiKey. 

  7.  When the program states "press Enter to exit", you can sign out of the RDP session . (by following these steps:
    1. Go to the Start Menu, click
    the silhouette
    1. on the silhouette of a person located just above the Start Menu, and select the Sign Out
    )
    Once completed you will not be able to log into any server directly with
    1. option.

  8. After completing the process, direct login to any server using only the username and password like what was , as done in step 2. You will need to use the Smartcard and pin. (The smartcard should show up under "More Choices" when using RDP), will no longer be possible. Instead, you will be required to utilize the Smartcard and its associated PIN. 

    1. If you are RENEWING your YubiKey, the PIN will remain unchanged.

    2. If you are SETTING UP your YubiKey, you will need to establish a PIN that consists of exactly eight characters. This can be accomplished by accessing the Security Option Window on a Windows machine.

  9. Remove and Reinsert the YubiKey in the USB port before trying to use it.
    1. If you just renewed your smartcard, you might need to reboot your system before the Kerberos protocol can utilize the smartcard subsystem.

Video Tutorial



View file
nameSetupYubikeyTutorial.mp4
height400

Info

Please note that the terms "Smartcard" and "YubiKey" are used interchangeably.

View filenameSetupYubikeyTutorial

.

mp4height

400


 

YubiKey's for Non-ITS Staff, faculty, and/or vendors

  • The IT unit that manages the YubiKey end user should order the YubiKey or receive it from the user if they are providing their own.

  • The IT unit can then complete the setup of the YubiKey on behalf of the user by contacting ADTT@syr.edu

  • After the card is setup, it can be given, or mailed, to the user with instructions on how to set the PIN.

Setup and Reset Requests for Non-ITS users

  1. If the request is to setup a new card:

    1. The DSP should have the physical card with them
    2. Contact ADTT@syr.edu and ADTT will find a time to help the DSP setup the card in the name of the user

      Use the following link to reserve a time with an ADTT team member: Smartcard Setup

      1. (Optional) After the account is created and the card is setup, the DSP can add the c- account to whatever groups the user may need
    3. The DSP can deliver the card to the user, please verify the actual user receives the card, and explain how to change the PIN (Change Smartcard PIN

  2. If the request is to reset a smartcard:
    1. The DSP can collect the card from the user, reset the card (Reset YubiKey / Smartcard To Factory Default), and contact ADTT@syr.edu 
    2. ADTT will assist in resetting the card just like the steps above.

Changing the PIN on the Smartcard

If the YubiKey is still using the default PIN of 123456, it will need to be changed before the end user can access Syracuse University resources. Instructions for changing the pin on your Smartcard are found here: https://answers.syr.edu/x/JTfLBw

Troubleshooting

General

  1. Make sure Ensure that the YubiKey is properly inserted correctly into the USB port. If you are using a USB-A style YubiKey, it can fit in the port both waysbe inserted in either orientation. When inserted correctly, the "y" on the card will flash green.

  2. The gold medallion on the YubiKey is functions as a touch button. Pressing or touching it generates a One-time password (OTP) and presses simulates the Enter key press. Currently, Although this feature is not used but currently utilized, it may be used in the future.

  3. If you receive encounter an "Access Denied" warning while trying attempting to log into the server during step two, contact ITS as it is likely that your account likely has SmartcardLogonRequired = set to true. In such cases, please contact your IT team for assistance.

  4. If you are waiting for a prompt to appear to enter a PIN for an extended period (more than 20 seconds) and it does not appear, click on the CMD window and press Enter twice. If this does not resolve the issue persists, please contact ITSreach out to ITS for further support.

Windows Specific

  1. Check the Smart Cards setting for a Yubico Minidriver under Device Manager on your computer. If the driver is not present and the computer is DOMAIN JOINED, restart the computer, and check again. If the driver is still missing, contact ITS for assistance.

  2. If the driver is not present and the computer is NOT DOMAIN JOINED, download the driver manually from Yubico's website (https://www.yubico.com/products/services-software/download/smart-card-drivers-tools/). Go to yubico.com > Support > Downloads, find the CAB download for the Yubico mini-driver, and extract it to a folder. Right-click the .inf file and select "Install." After the driver is installed, the computer may require a restart.

  3. If you receive the error message "The client has failed to validate the domain controller certificate for _______. The following error was returned from the certificate validation process: A certificate chain could not be built to a trusted root authority." on a non-DOMAIN JOINED computer, it may mean the computer does not trust the root certificate from AD. Contact ADTT@syr.edu for assistance with trusting the cert.

macOS Specific

  1. Apple computers may not be able to use the card after setup due to NLA. When the Mac tries attempting to connect to RDP, it the Mac requires a username and password before the Smartcard is used, making can be utilized, resulting in it not workfunctioning properly. To get around overcome this obstacle, you can log into a Windows computer (such as a VMvirtual machine) from the your Apple computer and then use RDP from there. This allows approach enables the selection of the Smartcard /or YubiKey from the "More Choices" option."

  2. When using the RDP/remote client application to remote into connect to servers, make sure the ensure that your Apple computer is running on Version 10 +or later.

  3. Assuming the remote client application is version 10+, if the If the Smartcard does not show up appear as an option when using configuring it for the first time to configure it, the connection likely does not pass using the remote client application (assuming it is version 10+), it is likely that the connection does not support Smartcards. To resolve address this issue, exit the connection, right-click on it in the RDP client application, select "Edit," go navigate to the devices tab, and make sure ensure that "Smart Card" is checked. Re-enter Reconnect to the session and try again.