Versions Compared

Version Old Version 57 New Version 58
Changes made by

Aaron Starr (Deactivated)

Aaron Starr (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The IT unit that manages the user should order the Yubikey or receive it from the user.
  • The IT unit can then complete the setup of the Yubikey on behalf of the user by contacting ADTT.
  • After the card is setup, it can be given, or mailed, to the user.

Steps to setup

...

a Smartcard @ Syracuse University

Info

Smartcard and Yubikey are used interchangeably.

...

  1. Use RDP (Remote Desktop Connection) to connect to the server smartcard.syr.edu

  2. When prompted for Logon, 
    1. If you are RENEWING YOUR YUBIKEY: use your current Yubikey to log onto the server.
    2. If you are SETTING UP A NEW YUBIKEY: You received an email from "Smart Card Manager" with a username and password. 
      1. After opening RDP, select "More choices" and log in as a different account. Use the username: c-netid (example: c-testuser or AD\c-testuser) and the password from the email.

  3. On the desktop of the server find the "Setup Smartcard" icon in the upper left and double click on it.

  4. A command prompt will open,
    1. If a VIRTUAL SMARTCARD is being made, remove any physical cards and press Enter. (The rest of the documentation is on physical cards, but virtual cards are similiar)
    2. If a YUBIKEY is being RENEWED or CREATED, put the card into your USB port and press Enter.

  5. The process is now underway and can take a few moments.

  6. A new window will appear. Press "More Choices". Select the YubiKey option (looks like a small credit card icon) from the list if not already selected.
    1. If the window appears and there is no option for a Yubikey and PIN, but rather it asks for a smartcard to be connected; be sure the smartcard is inserted correctly into the USB drive and also that the RDP session allows smartcard passthrough. To turn on smartcard passthrough, close out of the smartcard setup prompt and logout of smartcard.syr.edu. Open RDP, go to Show Options/Local Resources/More... and make sure "Smartcard" is checked.

  7. Enter the default PIN of the card. 
    1. For the YubiKey's provided by ITS, the default is: If you are RENEWING YOUR YUBIKEY: use the PIN you have set on the smartcard.
    2. If you are SETTING UP A NEW YUBIKEY: use the default PIN 123456

  8. You will be prompted again for a the SAME PIN a few moments later , 123456, for the root certificate to be added so the Yubikey is more versatile. 

  9.  After, you can sign out of the RDP session. (Go to the Start Menu, click the silhouette of a person just above the Start Menu, Sign Out)
    Some point after completion, the user account that was used will receive an email. In the email is a calendar appointment to renew the card in 2 years before it expires.

  10. Once completed you will not be able to log into any server directly with the username and password like what was done in step 2. You will need to use the smartcard and pin. (The smartcard should show up under "More Choices" when using RDP)

  11. Remove and Reinsert the Yubikey in the usb port before trying to use it.
    1. If you just renewed your smartcard, you may need to reboot your system before the Kerberos protocol can utilize the smartcard subsystem.

...

If the smart card is still using the default PIN of 123456 then the PIN should be changed.  Follow the instructions at the link below to complete the change.

Reset Change Smartcard LockoutPIN

Unique Cases:

Smartcard for a non-IT user:

...