Prerequisites

  • The end user will need to have their c- account already created by an IT admin and be in the correct initialization state.

  • The end user of the c- account and Smartcard/YubiKey should be the one performing these steps.
    • Exception is made for non-ITS Staff, faculty, and/or vendors.

  • YubiKeys get 10 attempts at logging in before it automatically locks. Afterwards it can be reset by contacting ADTT@syr.edu

  • Best practice is to log out of anything using your c- account beforehand if you previously were issued a Smartcard/YubiKey

Table of Contents


It is important to keep your YubiKey or Smartcard secure and prevent unauthorized access. Do not share your PIN or allow anyone else to use your YubiKey or Smartcard. If you suspect that your YubiKey or Smartcard has been lost, stolen, or compromised in any way, contact IT support immediately.


Be aware that YubiKeys have a limit of 10 attempts for entering a PIN before they automatically lock. If your YubiKey locks, you will need to contact ADTT@syr.edu to have it reset. To avoid this issue, make sure to enter your PIN carefully and avoid entering an incorrect PIN multiple times.


Steps to setup a Smartcard / YubiKey

Using a AD managed Windows computer:

  1. Use RDP (Remote Desktop Connection) to connect to the server smartcard.syr.edu

  2. When prompted for Logon, 
    1. If you are RENEWING YOUR YubiKey: use your current YubiKey to log onto the server.
    2. If you are SETTING UP A YubiKey: You received an email from "Smart Card Manager" with a username and password. 
      1. After opening RDP, select "More choices" and log in as a different account. Use the username: c-netid (example: c-testuser or AD\c-testuser) and the password from the email.

  3. On the desktop of the server find the "Setup Smartcard" icon in the upper left and double click on it.

  4. A command prompt will open,
    1. If not already inserted, plug the YubiKey into a USB port on the computer.

  5. The process is now underway and can take a few moments.

  6. A new window will appear. Press "More Choices". Select the YubiKey option (looks like a small credit card icon) from the list if not already selected.
    1. If the window appears and there is no option for a YubiKey and PIN, but rather it asks for a smartcard to be connected; be sure the smartcard is inserted correctly into the USB drive and also that the RDP session allows smart card passthrough. To turn on smart card passthrough, close out of the Smartcard Setup window and logout of smartcard.syr.edu. Open RDP, go to Show Options/Local Resources/More... and make sure "Smart Card" is checked.

  7. Enter the default PIN of the card. 
    1. If you are RENEWING YOUR YubiKey: use the PIN that you have set on the smartcard.
    2. If you are SETTING UP A YubiKey: use the default PIN 123456

  8. You will be prompted again for the SAME PIN a few moments later for the root certificate to be added so the YubiKey is more versatile. 

  9.  After, you can sign out of the RDP session. (Go to the Start Menu, click the silhouette of a person just above the Start Menu, Sign Out)

  10. Once completed you will not be able to log into any server directly with the username and password like what was done in step 2. You will need to use the Smartcard and pin. (The smartcard should show up under "More Choices" when using RDP)

  11. Remove and Reinsert the YubiKey in the USB port before trying to use it.
    1. If you just renewed your smartcard, you might need to reboot your system before the Kerberos protocol can utilize the smartcard subsystem.

Video Tutorial


Please note that the terms "Smartcard" and "YubiKey" are used interchangeably.


 

YubiKey's for Non-ITS Staff, faculty, and/or vendors

  • The IT unit that manages the YubiKey end user should order the YubiKey or receive it from the user if they are providing their own.

  • The IT unit can then complete the setup of the YubiKey on behalf of the user by contacting ADTT@syr.edu

  • After the card is setup, it can be given, or mailed, to the user with instructions on how to set the PIN.

Setup and Reset Requests for Non-ITS users

  1. If the request is to setup a new card:

    1. The DSP should have the physical card with them
    2. Contact ADTT@syr.edu and ADTT will find a time to help the DSP setup the card in the name of the user
      1. (Optional) After the account is created and the card is setup, the DSP can add the c- account to whatever groups the user may need
    3. The DSP can deliver the card to the user, please verify the actual user receives the card, and explain how to change the PIN (Change Smartcard PIN

  2. If the request is to reset a smartcard:
    1. The DSP can collect the card from the user, reset the card (Reset YubiKey / Smartcard To Factory Default), and contact ADTT@syr.edu 
    2. ADTT will assist in resetting the card just like the steps above.

Changing the PIN on the Smartcard

If the YubiKey is still using the default PIN of 123456, it will need to be changed before the end user can access Syracuse University resources. Instructions for changing the pin on your Smartcard are found here: https://answers.syr.edu/x/JTfLBw

Troubleshooting

General

  1. Make sure the YubiKey is inserted correctly into the USB port. If using a USB-A style YubiKey, it can fit in the port both ways. When inserted correctly, the "y" on the card will flash green.

  2. The gold medallion on the YubiKey is a touch button. Pressing or touching it generates a One-time password (OTP) and presses Enter. Currently, this feature is not used but may be used in the future.

  3. If you receive an "Access Denied" warning while trying to log into the server during step two, contact ITS as your account likely has SmartcardLogonRequired = true.

  4. If you are waiting for a prompt to appear to enter a PIN for an extended period (more than 20 seconds), click on the CMD window and press Enter twice. If this does not resolve the issue, please contact ITS.

Windows Specific

  1. Check the Smart Cards setting for a Yubico Minidriver under Device Manager on your computer. If the driver is not present and the computer is DOMAIN JOINED, restart the computer, and check again. If the driver is still missing, contact ITS for assistance.

  2. If the driver is not present and the computer is NOT DOMAIN JOINED, download the driver manually from Yubico's website (https://www.yubico.com/products/services-software/download/smart-card-drivers-tools/). Go to yubico.com > Support > Downloads, find the CAB download for the Yubico mini-driver, and extract it to a folder. Right-click the .inf file and select "Install." After the driver is installed, the computer may require a restart.

  3. If you receive the error message "The client has failed to validate the domain controller certificate for _______. The following error was returned from the certificate validation process: A certificate chain could not be built to a trusted root authority." on a non-DOMAIN JOINED computer, it may mean the computer does not trust the root certificate from AD. Contact ADTT@syr.edu for assistance with trusting the cert.

macOS Specific

  1. Apple computers may not be able to use the card after setup due to NLA. When the Mac tries to connect to RDP, it requires a username and password before the Smartcard is used, making it not work. To get around this, log into a Windows computer (such as a VM) from the Apple computer and use RDP from there. This allows the selection of the Smartcard/YubiKey from "More Choices."

  2. When using the RDP/remote client application to remote into servers, make sure the Apple computer is on Version 10+.

  3. Assuming the remote client application is version 10+, if the Smartcard does not show up as an option when using it for the first time to configure it, the connection likely does not pass Smartcards. To resolve this issue, exit the connection, right-click it in the RDP client application, select "Edit," go to the devices tab, and make sure "Smart Card" is checked. Re-enter the session and try again.