Versions Compared

Version Old Version 70 New Version 71
Changes made by

Andrea Reynolds

Andrea Reynolds

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: formatting and clarity

Prerequisites

  • The end user will need to have their c- account already created by an IT admin and be in the correct initialization state.

  • The end user of the c- account and Smartcard/YubiKey should be the one performing these steps.
    • Exception is made for non-ITS Staff, faculty, and/or vendors.

  • YubiKeys get 10 attempts at logging in before it automatically locks. Afterwards it can be reset by contacting ADTT@syr.edu

  • Best practice is to log out of anything using your c- account beforehand if you previously were issued a Smartcard/YubiKey

Table of Contents

Table of Contents
maxLevel2

Steps to setup a Smartcard / YubiKey

Using a AD managed Windows computer:

  1. Use RDP (Remote Desktop Connection) to connect to the server smartcard.syr.edu

  2. When prompted for Logon, 
    1. If you are RENEWING YOUR YubiKey: use your current YubiKey to log onto the server.
    2. If you are SETTING UP A YubiKey: You received an email from "Smart Card Manager" with a username and password. 
      1. After opening RDP, select "More choices" and log in as a different account. Use the username: c-netid (example: c-testuser or AD\c-testuser) and the password from the email.

  3. On the desktop of the server find the "Setup Smartcard" icon in the upper left and double click on it.

  4. A command prompt will open,
    1. If not already inserted, plug the YubiKey into a USB port on the computer.

  5. The process is now underway and can take a few moments.

  6. A new window will appear. Press "More Choices". Select the YubiKey option (looks like a small credit card icon) from the list if not already selected.
    1. If the window appears and there is no option for a YubiKey and PIN, but rather it asks for a smartcard to be connected; be sure the smartcard is inserted correctly into the USB drive and also that the RDP session allows smart card passthrough. To turn on smart card passthrough, close out of the Smartcard Setup window and logout of smartcard.syr.edu. Open RDP, go to Show Options/Local Resources/More... and make sure "Smart Card" is checked.

  7. Enter the default PIN of the card. 
    1. If you are RENEWING YOUR YubiKey: use the PIN that you have set on the smartcard.
    2. If you are SETTING UP A YubiKey: use the default PIN 123456

  8. You will be prompted again for the SAME PIN a few moments later for the root certificate to be added so the YubiKey is more versatile. 

  9.  After, you can sign out of the RDP session. (Go to the Start Menu, click the silhouette of a person just above the Start Menu, Sign Out)

  10. Once completed you will not be able to log into any server directly with the username and password like what was done in step 2. You will need to use the Smartcard and pin. (The smartcard should show up under "More Choices" when using RDP)

  11. Remove and Reinsert the YubiKey in the usb port before trying to use it.
    1. If you just renewed your smartcard, you may need to reboot your system before the Kerberos protocol can utilize the smartcard subsystem.

Video Tutorial


Info

Please note that the terms "Smartcard" and "YubiKey" are used interchangeably.


View file
nameSetupYubikeyTutorial.mp4
height400

 

YubiKey's for Non-ITS Staff, faculty, and/or vendors

  • The IT unit that manages the YubiKey end user should order the YubiKey or receive it from the user if they are providing their own.

  • The IT unit can then complete the setup of the YubiKey on behalf of the user by contacting ADTT@syr.edu

  • After the card is setup, it can be given, or mailed, to the user with instructions on how to set the PIN.

Setup and Reset Requests for Non-ITS users

  1. If the request is to setup a new card:

    1. The DSP should have the physical card with them
    2. Make contact with Contact ADTT@syr.edu and ADTT will find a time to help the DSP setup the card in the name of the user
      1. (Optional) After the account is created and the card is setup, the DSP can add the c- account to whatever groups the user may need
    3. The DSP can deliver the card to the user, please verify the actual user receives the card, and explain how to change the PIN (Change Smartcard PIN

  2. If the request is to reset a smartcard:
    1. The DSP can collect the card from the user, reset the card (Reset YubiKey / Smartcard To Factory Default), and contact ADTT@syr.edu 
    2. ADTT will assist in resetting the card just like the steps above.

Changing the PIN on the Smartcard

If the YubiKey is still using the default PIN of 123456, it will need to be changed before the end user can access Syracuse University resources. Instructions for changing the pin on your Smartcard are found here: https://answers.syr.edu/x/JTfLBw

Troubleshooting

General

Troubleshooting

  1. Make sure the YubiKey is inserted correctly into the USB port.

The

  1. If using a USB-A style YubiKey

's

  1. , it can fit in

a USB

  1. the port both ways. When inserted correctly, the "y" on the card will flash green.

  2. The gold medallion on the YubiKey is

actually

  1. a touch button. Pressing

/

  1. or touching it

prints

  1. generates a

OTP (

  1. One-time password (OTP) and presses Enter.

 (This

  1. Currently, this feature is not used

currently,

  1. but may be used in the future

)

  1. .

  2. If you

are not able

  1. receive an "Access Denied" warning while trying to log into the server during step two

due to "Access Denied" warning

  1. , contact ITS

,

  1. as your account likely has SmartcardLogonRequired = true.

  2. If you are waiting for a prompt to appear to enter a PIN for an

exceedingly long time (wait>20s

  1. extended period (more than 20 seconds), click on the CMD window and press Enter twice. If this does not resolve the issue, please contact ITS.

(Windows) Under Device Manager on your computer, check

Windows Specific

  1. Check the Smart Cards setting for a Yubico Minidriver

  1. under Device Manager on your computer. If the driver is not present and the computer

you are on

  1. is DOMAIN

JOINED 

  1. JOINED, restart the computer, and check again.

Else

  1. If the driver is still missing, contact ITS for

help

  1. assistance.

  2. If the driver is not present and the computer

you are on

  1. is

NOT DOMAIN

  1. NOT DOMAIN JOINED,

you will need to

  1. download the driver manually from Yubico's website (https://www.yubico.com/products/services-software/download/smart-card-drivers-tools/).

 To get to the driver download you can:

  1. Go to yubico.com

>Support>Downloads. Find

  1. > Support > Downloads, find the CAB

Download

  1. download for the Yubico mini-driver

. When the mini-driver is downloaded,

  1. , and extract it to a folder

and

  1. . Right-click the .inf

file>Install.

  1. file and select "Install." After the driver is installed, the computer may require a restart.

(Windows)


  2. If you

are receiving

  1. receive the error

:

  1. message "The client has failed to validate the domain controller certificate for _______. The following error was returned from the certificate validation process: A certificate chain could not be built to a trusted root authority."

 AND the computer you are on is NOT DOMAIN JOINED. It

  1. on a non-DOMAIN JOINED computer, it may mean the computer

you are on

  1. does not trust the root certificate from AD.

Please contact 

  1. Contact ADTT@syr.edu

 for help

  1. for assistance with trusting the cert.

(

macOS

)

Specific

  1. Apple computers may not be able to use the card after setup

. This is because of

  1. due to NLA. When the Mac tries to connect to RDP, it requires a username and password before the Smartcard is used

. Thus

  1. , making it not work. To get around this,

the Apple computer should

  1. log into a Windows computer (such as a VM) from the Apple computer and

us

  1. use RDP from there. This allows the selection of the Smartcard/YubiKey from "More Choices."

(macOS) Apple computers


  2. When using the RDP/remote client application to remote into servers

should

  1. , make sure

they are

  1. the Apple computer is on Version 10+.

(macOS)


  2. Assuming the remote client application is version 10+, if the Smartcard does not show up as an option when using it for the

Smartcard the

  1. first time to configure it,

if it does not show up as an option

  1. the connection likely does not pass Smartcards. To resolve this issue, exit the connection, right-click it in the RDP client application

and

  1. , select

Edit. Under

  1. "Edit," go to the devices tab, and make sure "Smart Card" is checked. Re-enter the session and try again.