Versions Compared

Version Old Version 68 New Version Current
Changes made by

Andrea Reynolds

Andrea Reynolds

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
smartcard.syr.edu
When prompted for Logon, 
  • If you are RENEWING YOUR YubiKey: use your current YubiKey to log onto the server.
    • If you are SETTING UP A YubiKey: You received an email from "Smart Card Manager" with a username and password. After opening RDP, select "More choices" and log in as a different account. Use the username: c-netid (example:

    Prerequisites

    The end user will need to have their c- account already created by an IT admin and be in the correct initialization state.
    The end user of the c- account and Smartcard/YubiKey should be the one performing these steps.Exception is made for non-ITS Staff, faculty, and/or vendors.
    YubiKeys get 10 attempts at logging in before it automatically locks. Afterwards it can be reset by contacting ADTT@syr.edu
  • Best practice is to log out of anything using your c- account beforehand if you previously were issued a Smartcard/YubiKey

    • Table of Contents

    Table of Contents
    maxLevel2

    Steps to setup a Smartcard / YubiKey

    Using a AD managed Windows computer:

    Use RDP (Remote Desktop Connection) to connect to the server

    Smartcard Setup

    • If a YubiKey is being reused, ensure it has been factory reset and that the default PIN is set to 123456.

    C- Account Request

    • The DSP (Department Support Personnel) for the department or unit must initiate the process by emailing ADTT@syr.edu with the c- account request.

    • The email should include any necessary SUPER permissions and the appropriate DAG number(s).

    Setup Appointment

    • Once the c- account is created, permissions are added, and the smartcard is provided to the end user, they should schedule a Smartcard Setup appointment to have the required certificates installed on the YubiKey.

    Table of Contents

    Table of Contents
    minLevel1
    maxLevel2
    outlinefalse
    styledefault
    typelist
    printabletrue
    Info

    It is important to keep your YubiKey or Smartcard secure and prevent unauthorized access. Do not share your PIN or allow anyone else to use your YubiKey or Smartcard. If you suspect that your YubiKey or Smartcard has been lost, stolen, or compromised in any way, contact IT support immediately.

    Note

    Be aware that YubiKeys have a limit of 10 attempts for entering a PIN before they automatically lock. If your YubiKey locks, it will need to be reset, reach out to your IT support personnel for assistance.

    Once reset, Schedule a Smartcard Setup appointment.

    Steps for a New Smartcard Setup

    Using an AD-managed Windows computer:

    1. Connect to the server:

      • Use Remote Desktop Connection (RDP) to connect to smartcard.syr.edu.

    2. Log in:

      • When prompted for logon, select "More choices" and choose "Use a different account."

      • Enter the username: c-netid (e.g., c-testuser or AD\c-testuser) and the password

    from

      • provided in the email from Smart Card Manager.

    2. Launch the Smartcard Setup:

      • On the

    desktop of the server

      • server's desktop, find the "Setup Smartcard" icon in the upper left and double-click

    on

      • it.


      • A

    command prompt

      • PowerShell window will

    open,

      • launch, and the program will begin.

      • If not already inserted,

    plug

      • ensure the YubiKey is plugged into a USB port on the computer.

    2. Monitor the process:

      • The process is now underway and

    can

      • may take a few moments.


    A new window will appear. Press "More Choices". Select the YubiKey option (looks like a small credit card icon) from the list if not already selected.If the window appears and there is no option for a YubiKey and PIN, but rather it asks for a smartcard to be connected; be sure the smartcard is inserted correctly into the USB drive and also that the RDP session allows smart card passthrough. To turn on smart card passthrough, close out of the Smartcard Setup window and logout of smartcard.syr.edu. Open RDP, go to Show Options/Local Resources/More... and make sure "Smart Card" is checked.
    Enter the default PIN of the card. 
  • If you are RENEWING YOUR YubiKey: use the PIN you have set on the smartcard.
    • If you are SETTING UP A YubiKey: use the default PIN 123456
    You will be prompted again for the SAME PIN a few moments later for the root certificate to be added so the YubiKey is more versatile. 
     After,

      • If you're concerned that the process hasn't started, you can confirm it's running if the white cursor is blinking on a new line in the console.

    2. Enter the PIN:

      • When prompted, enter the default PIN 123456.

      • Shortly after, you'll be prompted to reenter the same PIN to add the root certificate, enhancing the versatility of your YubiKey.

    3. Exit the program:

      • When the program states "press Enter to exit," you can sign out of the RDP session

    . (

      • by following these steps:

        • Go to the Start Menu, click

    the silhouette

        • on the silhouette of a person located just above the Start Menu, and select the "Sign Out

    )
    Once completed you will not be able to log into any server directly with

        • " option.

    2. Final steps:

      • After completing the process, direct login to any server using only the username and password

    like what was

      • , as done in step 2

    . You will need to use the Smartcard and pin. (The smartcard should show up under "More Choices" when using RDP)
    Remove and Reinsert the YubiKey in the usb

      • , will no longer be possible. Instead, you will be required to utilize the Smartcard and its associated PIN.

      • You will need to establish a PIN that consists of exactly eight characters. This can be accomplished by accessing the Security Options Window on a Windows machine via "Ctrl + Alt + Delete."

      • Remove and reinsert the YubiKey in the USB port before trying to use it.

    2. Reboot if needed:

      • If you just renewed your smartcard, you

    may

      • might need to reboot your system before the Kerberos protocol can utilize the smartcard subsystem.

    Video Tutorial

    info

    SetupYubikeyTutorial.mp4

    Please note that the terms "Smartcard" and "YubiKey" are used interchangeably.

    View file
    nameSetupYubikeyTutorial.mp4
    height400

    YubiKey's for Non-ITS Staff, faculty, and/or vendors

    • Order or Receive the YubiKey:

      • The IT unit

      that manages

      • responsible for managing the YubiKey

      end user should order the YubiKey

    • Set Up the YubiKey:

      • The IT unit can

      then

      • complete the YubiKey setup

      of the YubiKey

      • on behalf of the user by contacting ADTT@syr.edu.

       
      After the card is setup, it

    • Deliver the YubiKey:

      • Once the setup is complete, the YubiKey can be given

      ,

      • or mailed

      ,

      • to the user, along with instructions on how to set the PIN.

    Setup and Reset Requests for Non-ITS users

    If the

    request

    Request is to

    setup a new card

    Set Up a New Card:

    1. Obtain the Physical Card:

      • The DSP (Department Support Personnel) should have the physical card with them

    Make contact with ADTT@syr.edu and ADTT will find a time to help the DSP setup the card in the name of the user

      • .

    2. Schedule a Setup Appointment:

    3. (Optional) Group Membership Configuration:

      • After the account is created and the card is

    setup

      • set up, the DSP can add the c- account to

    whatever

      • the necessary groups for the user

    may needThe DSP can deliver the card to the user, please verify

      • .

    2. Deliver the Card to the User:

      • Ensure that the card is delivered directly to the intended user. Please verify that the actual user receives the card

    ,

      • and explain how to change the

    PIN (

    If the

    request

    Request is to

    reset a smartcard

    Reset a Smartcard:

    1. Collect the Card:

      • The DSP

    can

      • should collect the card from the user

    , reset the card (Reset YubiKey / Smartcard To Factory Default), and contact ADTT@syr.edu We

      • .

    2. Reset the Card:

    3. Schedule a Reset Appointment

      • Reserve a time with ADTT for assistance with resetting the card: Smartcard Setup

    4. Reset Process Assistance

      • ADTT will assist in resetting the card

    just like

      • following the steps outlined above.

    Changing the PIN on the Smartcard

    If the YubiKey is still using the default PIN of 123456, it

    will need to

    must be changed before the end user can access Syracuse University resources.

    Instructions

    You can find instructions for changing the

    pin

    PIN on your Smartcard

    are found

    here: https://

    answers

    su-jsm.

    syr

    atlassian.

    edu/x/JTfLBw

    General Troubleshooting

    Make sure the YubiKey is inserted correctly into the USB port. The USB-A style YubiKey's can fit in a USB port both ways

    net/wiki/x/SAJECQ

    Steps for Smartcard Renewal

    10 days prior to certificate expiration, an email will be sent to the mailbox of the C- account that requires renewal. After receiving the email, follow the steps below to renew your smartcard without ADTT assistance.

    Using an AD-managed Windows computer:

    1. Connect to the Server

      • Use Remote Desktop Connection (RDP) to connect to smartcard.syr.edu.

    2. Log On

      • When prompted, use your current YubiKey and PIN to log onto the server.

    3. Launch the Smartcard Setup

      • On the server's desktop, locate the "Setup Smartcard" icon in the upper left and double-click it. A PowerShell window will launch, and the program will begin.

      • If not already inserted, plug the YubiKey into a USB port on the computer.

    4. Monitor the Process

      • The process is now underway and may take a few moments.

    5. Enter the PIN

      • When prompted, enter your current PIN.

      • Shortly after, you will be prompted to reenter the same PIN to add the root certificate, enhancing the versatility of your YubiKey.

    6. Exit the Program

      • When the program states "press Enter to exit," sign out of the RDP session by following these steps:

        • Go to the Start Menu, click on the silhouette of a person located just above the Start Menu, and select the "Sign Out" option.

    7. Post-Process

      • After completing the process, direct login to any server using only the username and password, as done in step 2, will no longer be possible. Instead, you will be required to utilize the Smartcard and its associated PIN.

      • If you are renewing your YubiKey, the PIN will remain unchanged.

    8. Final Steps

      • Remove and reinsert the YubiKey into the USB port before attempting to use it.

      • If you have just renewed your smartcard, you might need to reboot your system before the Kerberos protocol can utilize the smartcard subsystem.

    Troubleshooting

    General

    1. YubiKey Insertion

      • Ensure the YubiKey is properly inserted into the USB port. For USB-A style YubiKeys, it can be inserted in either orientation. When inserted correctly, the "y" on the card will flash green.

    2. YubiKey Touch Button

      • The gold medallion on the YubiKey

    is actually

      • functions as a touch button. Pressing

    /

      • or touching it

    prints

      • generates a

    OTP (

      • One-

    time password

      • Time Password (OTP) and

    presses

      • simulates the Enter

    . (This

      • key press. Although this feature is not

    used

      • currently utilized,

    but

      • it may be used in the future

    )

      • .

    2. Access Denied Warning

      • If you

    are not able

      • encounter an "Access Denied" warning while attempting to log into the server during step

    2 due to "Access Denied" contact ITS,

      • two, it is likely that your account

    likely

      • has SmartcardLogonRequired

    = true.

      • set to true. In such cases, please contact your IT team for assistance.

    2. Delayed PIN Prompt

      • If you are waiting for a

    prompt to appear to enter a PIN for an exceedingly long time (wait>20s)

      • PIN prompt for more than 20 seconds and it does not appear, click on the

    CMD

      • PowerShell window

    an

      • and press Enter twice.

    Else, contact ITS

      • If the issue persists, please reach out to ITS for further support.

    (Windows) Under Device Manager on your computer, check

    Windows Specific

    1. Smart Cards Setting

      • Check the Smart Cards setting for a Yubico Minidriver

      • under Device Manager on your computer. If the driver is not present and the computer

    you are on

      • is DOMAIN

    JOINED 

      • JOINED, restart the computer and check again.

    Else

      • If the driver is still missing, contact ITS for

    help

      • assistance.

      • If the driver is not present and the computer

    you are on

      • is

    NOT DOMAIN

      • NOT DOMAIN JOINED,

    you will need to

      • download the driver manually from Yubico's website

    (https://www.yubico.com/products/services-software/download/smart-card-drivers-tools/). To get to the driver download you can: Go to yubico.com>Support>Downloads. Find the CAB Download for the Yubico minidriver. When the minidriver is downloaded
    and Right

      • , right-click the .inf

    file>Install.

      • file, and select "Install." After the driver is installed, the computer may require a restart.

    (Windows)

    1. Certificate Validation Error

      • If you

    are receiving

      • receive the error

    :

      • message "The client has failed to validate the domain controller certificate for _______. The following error was returned from the certificate validation process: A certificate chain could not be built to a trusted root authority."

     AND the computer you are on is NOT DOMAIN JOINED. It

      • on a non-DOMAIN JOINED computer, it may mean the computer

    you are on

      • does not trust the root certificate from AD.

    Please contact ADTT@syr
     for help

      • for assistance with trusting the

    cert

      • certificate.

    macOS Specific

    1. Network Level Authentication (

    Mac OS) Macs may not be able to use the card after setup. This is because NLA, when the Mac tries to connect to RDP it requires

    1. NLA) Issues

      • Issue: Apple computers may face issues using the smartcard after setup due to Network Level Authentication (NLA). When attempting to connect to RDP, macOS may require a username and password before allowing the smartcard to be utilized, which can prevent the smartcard

    is used. Thus making it not work. To get around this, the Mac computer should log into a Windows computer (such as a VM) and rdp from there, so you may select the Smartcard/YubiKey from "More Choices"
    (Mac OS) Mac computers using the rdp/remote client application to remote into servers should make sure they are on Version 10+.
    (Mac OS) Assuming the remote client application is version 10+, when using the smartcard the first time to configure it, if it does not show up as an option the connection likely does not pass Smartcards. To resolve, exit the connection, right click it in the rdp client application and select Edit. Under the devices tab, make sure Smart Card is checked. Re-enter the session and try again

      • from functioning properly.

      • Workaround: If you encounter this issue, one option is to use a Windows computer or virtual machine (VM) to connect via RDP. Once connected, you can use the Smartcard or YubiKey by selecting it from the "More Choices" option.

    2. RDP Version and Smartcard Recognition

      • Ensure Compatibility: Make sure your Apple computer is running macOS and Microsoft Remote Desktop app Version 10 or later, as newer versions offer better support for smartcards.

      • Smartcard Not Detected:

        • If your smartcard is not being recognized during RDP connection setup, first ensure that the smartcard is being recognized by macOS itself. You can use the pcsctest tool available in the Terminal.app to verify smartcard detection.

        • If macOS recognizes the smartcard but the Microsoft Remote Desktop app does not, check the "Devices & Audio" or "Redirection" settings in the app to ensure that smartcard redirection is enabled. Reconnect to the session and try again.

    3. First-Time Configuration Issues

      • Smartcard Not Appearing: If the Smartcard does not appear as an option when configuring it for the first time using the remote client application (assuming it is version 10+), it may indicate that the connection does not support Smartcards.

        • Fix: Exit the connection, right-click on it in the Microsoft Remote Desktop client application, select "Edit," navigate to the Devices tab, and ensure that "Smart Card" is checked. Reconnect to the session and try again.

        • Driver Consideration: Unlike Windows, macOS typically does not require additional drivers for most smartcards, including YubiKeys. However, keeping your system and Microsoft Remote Desktop app up-to-date is crucial for ensuring proper functionality.

    If issues persist, consider reaching out to ITS for further support or explore additional troubleshooting based on your specific environment’s configurations.