Versions Compared

Version Old Version 32 New Version 33
Changes made by

Aaron Starr (Deactivated)

Aaron Starr (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • To complete these steps, the end user will need to have their c- account already created by an IT admin and be in the correct initialization state.
  • The end user of the c- account and smart card should be the one performing these steps.
  • Yubikeys get 10 attempts at logging in before it bricks (becomes locked out). Afterwards it can be reset by contacting contacting ITSCIS@syr.edu
  • Best practice is to log out of anything using your c- account before had if you already have one.

Steps to setup or renew a Smart Card/YubiKey @ Syracuse University

Info

Smartcard and Yubikey are used interchangeably.


Windows Computer:

  1. Use RDP (Remote Desktop Connection) to connect to the server " core-scmgmt-01 (you may need to type the domain, so core-scmgmt-01.ad.syr.edu" )

  2. When prompted for Logon, 
    1. If you are RENEWING YOUR YUBIKEY: use your
    smart card to logon or if you are setting up a new or expired smart card use the username:
    1. current Yubikey to log onto the server.
    2. If you are SETTING UP A NEW YUBIKEY: You received an email from "Smart Card Manager" with a username and password. 
      1. After opening RDP, select "More choices" and log in as a different account. Use the username: c-netid (example: c-testuser or AD\c-testuser) and the password
    provided in the email you received
    1. If the password above does not work, then the c- account might not have been staged correctly for the completion of these steps.  Contact the IT group that provided the smart card
      1. from the email.

  3. On the desktop of the server find the "Setup Smartcard" icon in the upper left and double click on it.

  4. At this point, if a virtual smartcard is what A command prompt will open,
    1. If a VIRTUAL SMARTCARD is being made, remove any physical cards
    .
    Note:
    1. and press Enter. (The rest of
    this
    1. the documentation is on physical
    card setup
    1. cards, but virtual
    card setup is very similiar
    1. are similiar)
    2. If a YUBIKEY is being RENEWED or CREATED, put the card into your USB port and press Enter.

  5. The process is now underway and can take a few minutesmoments.
    After, a
  6. A new window will appear. Press "More Choices".
    Select the YubiKey option (looks like a small credit card icon) from the list and press " OK".

  7. Enter the default PIN of the card. 
    1. For the YubiKey's provided by ITS, the default is: 123456

  8. The user may You will be prompted again for a PIN a few moments later, 123456, for the root certificate to be added so the yubikey Yubikey is more versatile

  9.  After you can sign out of the RDP session.
    After (Go to the Start Menu, click the silhouette of a person just above the Start Menu, Sign Out)

  10. Some point after completion, the user account that was used will receive an email. In the email is a calendar appointment to renew the card in 2 years before it expires.

  11. Once completed the user you will not be able to log into core-scmgmt-01 directly with the username and password like what was done in step 2. They You will need to use the smartcard and pin. (The smartcard should show up under "More Choices" when using RDP)

  12. Remove and Reinsert the Yubikey in the usb port before trying to use it.

...

Change Smart Card/YubiKey PIN

General Troubleshooting/Help:

  1. Make sure the YubiKey is inserted correctly into the USB port. The Yubikey's can fit in a USB port both ways. When inserted correctly, the "y" on the card will flash green.
  2. (Windows) Under Device Manager on your computer, check the Smart Cards setting for a Yubico Minidriver. 
    1. If the driver is not present and the computer you are on is DOMAIN JOINED restart the computer and check again. Else, contact ITS for help.
    2. If the driver is not present and the computer you are on is NOT DOMAIN JOINED, you will need to download the driver manually from Yubico's website. Contact ITS for assistance.
  3. (Windows) If you are not able to log into the server during step 2 due to "Access Denied" contact ITS, your account likely has SmartcardLogonRequired = true.
  4. (Mac OS) Mac computers can log into core-scmgmt-01 and set the card up, but may not be able to use the card after. This is because NLA, when the Mac tries to connect to RDP it requires a username and password before the smartcard is used. Thus making it not work. To get around this, the Mac computer should log into a Windows computer (such as a VM) and rdp from there, so you may select the Smartcard/Yubikey from "More Choices"
  5. (Mac OS) Mac computers using the rdp/remote client application to remote into servers should make sure they are on Version 10+.
  6. (Mac OS) Assuming the remote client application is version 10+, when using the smartcard the first time to configure it, if it does not show up as an option the connect likely does not pass Smartcards. To resolve, exit the connection, right click it in the rdp client application and select Edit. Under the devices tab, make sure Smart Card is checked. Re-enter the session and try again.