Versions Compared

Version Old Version 87 New Version Current
Changes made by

Andrea Reynolds

Andrea Reynolds

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Prerequisites

Smartcard Setup

  • If a YubiKey is being reused,

be sure

  • ensure it

is

  • has been factory reset and

ensure

  • that the default PIN is

returned

  • set to 123456.

C- Account Request

  • The DSP (Department Support Personnel) for the department or unit must initiate the process by emailing

ADTT

Setup Appointment

  • Once the c- account is created, permissions

have been

  • are added, and the smartcard is provided to the end user, they should

Schedule

Table of Contents

Table of Contents
minLevel1
maxLevel2
outlinefalse
styledefault
typelist
printabletrue
Info

It is important to keep your YubiKey or Smartcard secure and prevent unauthorized access. Do not share your PIN or allow anyone else to use your YubiKey or Smartcard. If you suspect that your YubiKey or Smartcard has been lost, stolen, or compromised in any way, contact IT support immediately.

warning
Note

Be aware that YubiKeys have a limit of 10 attempts for entering a PIN before they automatically lock. If your YubiKey locks, it will need to be reset, reach out to your IT support personnel for assistance.

Once reset, Schedule a Smartcard Setup appointment.

Steps for a New Smartcard Setup

Using an AD-managed Windows computer:

Use RDP (

  1. Connect to the server:

    • Use Remote Desktop Connection (RDP) to connect to

the server

    • smartcard.syr.edu.

  2. Log in:

    • When prompted for

Logon

    • logon, select "More choices" and

log in as

    • choose "Use a different account."

Use

    • Enter the username: c-netid

 (example:

    • (e.g., c-testuser or AD\c-testuser) and the password provided

by the ADTT member walking through the setup steps.

    • in the email from Smart Card Manager.

  2. Launch the Smartcard Setup:

    • On the

desktop of the server

    • server's desktop, find the "Setup Smartcard" icon in the upper left and double-click

on

    • it. A PowerShell window will launch, and the program will begin.

    • If not already inserted,

plug

    • ensure the YubiKey is plugged into a USB port on the computer.

  2. Monitor the process:

    • The process is now underway and

can

    • may take a few moments.


When prompted for a PIN: Enter

    • If you're concerned that the process hasn't started, you can confirm it's running if the white cursor is blinking on a new line in the console.

  2. Enter the PIN:

    • When prompted, enter the default PIN 123456.

    • Shortly after, you

will

    • 'll be prompted to reenter the same PIN

in order

    • to add the root certificate, enhancing the versatility of your YubiKey.

 
 When

  2. Exit the program:

    • When the program states "press Enter to exit,"

,

    • you can sign out of the RDP session by following these steps:

      • Go to the Start Menu, click on the silhouette of a person located just above the Start Menu, and select the "Sign Out" option.

  2. Final steps:

    • After completing the process, direct login to any server using only the username and password, as done in step 2, will no longer be possible. Instead, you will be required to utilize the Smartcard and its associated PIN.

 

    • You will need to establish a PIN that consists of exactly eight characters. This can be accomplished by accessing the Security

Option

    • Options Window on a Windows machine via "

ctrl

    • Ctrl +

alt

    • Alt +

delete

    • Delete."

.

    • Remove and

Reinsert name

    • reinsert the YubiKey in the USB port before trying to use it.

  2. Reboot if needed:

    • If you just renewed your smartcard, you might need to reboot your system before the Kerberos protocol can utilize the smartcard subsystem.

Video Tutorial

View file

SetupYubikeyTutorial.mp4

height

400 Info

Please note that the terms "Smartcard" and "YubiKey" are used interchangeably.

 

YubiKey's for Non-ITS Staff, faculty, and/or vendors

  • Order or Receive the YubiKey:

    • The IT unit

    that manages

    • responsible for managing the YubiKey

    end user should order the YubiKey

  • Set Up the YubiKey:

    • The IT unit can

    then

    • complete the YubiKey setup

    of the YubiKey

    • on behalf of the user by contacting ADTT@syr.edu.

     
    After the card is setup, it

  • Deliver the YubiKey:

    • Once the setup is complete, the YubiKey can be given

    ,

    • or mailed

    ,

    • to the user, along with instructions on how to set the PIN.

Setup and Reset Requests for Non-ITS users

If the

request

Request is to

setup a new card

Set Up a New Card:

  1. Obtain the Physical Card:

    • The DSP (Department Support Personnel) should have the physical card with them.

  2. Schedule a Setup Appointment:

  3. (Optional) Group Membership Configuration:

    • After the account is created and the card is

setup

    • set up, the DSP can add the c- account to

whatever

    • the necessary groups for the user

may needThe DSP can deliver the card to the user, please verify

    • .

  2. Deliver the Card to the User:

    • Ensure that the card is delivered directly to the intended user. Please verify that the actual user receives the card

,

    • and explain how to change the

PIN (

If the

request

Request is to

reset a smartcard

Reset a Smartcard:

  1. Collect the Card:

    • The DSP

can

    • should collect the card from the user

, reset the card (Reset YubiKey / Smartcard To University Defaults), and reserve

    • .

  2. Reset the Card:

  3. Schedule a Reset Appointment

    • Reserve a time with ADTT

here: 

  2. Reset Process Assistance

    • ADTT will assist in resetting the card

just like

    • following the steps outlined above.

Changing the PIN on the Smartcard

If the YubiKey is still using the default PIN of 123456, it

will need to

must be changed before the end user can access Syracuse University resources.

Instructions

You can find instructions for changing the

pin

PIN on your Smartcard

are found

here: https://su-jsm.atlassian.net/wiki/x/SAJECQ

Steps for Smartcard Renewal

anchor

RenewalRenewal155453548 Info

10 days prior to certificate expiration, an email will be sent to the mailbox of the C- account that requires renewal. After receiving the email, follow the steps below to renew your smartcard without ADTT assistance.

Using

a

an AD-managed Windows computer:

  1. Connect to the Server

    • Use

RDP (

    • Remote Desktop Connection (RDP) to connect to

the server

    • smartcard.syr.edu.

  2. Log On

    • When prompted

for Logon

    • ,

 Use

    • use your current YubiKey and

current

    • PIN to log onto the server.

  2. Launch the Smartcard Setup

    • On the

desktop of the server find

    • server's desktop, locate the "Setup Smartcard" icon in the upper left and double-click

on

    • it. A PowerShell window will launch, and the program will begin.

    • If not already inserted, plug the YubiKey into a USB port on the computer.

  2. Monitor the Process

    • The process is now underway and

can

    • may take a few moments.

  2. Enter the PIN

    • When prompted

for a PIN:Use

    • , enter your current PIN.

    • Shortly after, you will be prompted to reenter the same PIN

in order

    • to add the root certificate, enhancing the versatility of your YubiKey.

 
 When

  2. Exit the Program

    • When the program states "press Enter to exit,"

, you can

    • sign out of the RDP session by following these steps:

      • Go to the Start Menu, click on the silhouette of a person located just above the Start Menu, and select the "Sign Out" option.

  2. Post-Process

    • After completing the process, direct login to any server using only the username and password, as done in step 2, will no longer be possible. Instead, you will be required to utilize the Smartcard and its associated PIN.

 

    • If you are

RENEWING

    • renewing your YubiKey, the PIN will remain unchanged.

  2. Final Steps

    • Remove and

Reinsert

    • reinsert the YubiKey

in

    • into the USB port before

trying

    • attempting to use it.

    • If you have just renewed your smartcard, you might need to reboot your system before the Kerberos protocol can utilize the smartcard subsystem.

Troubleshooting

General

  1. YubiKey Insertion

    • Ensure

that

    • the YubiKey is properly inserted into the USB port.

If you are using a

    • For USB-A style

YubiKey

    • YubiKeys, it can be inserted in either orientation. When inserted correctly, the "y" on the card will flash green.

  2. YubiKey Touch Button

    • The gold medallion on the YubiKey functions as a touch button. Pressing or touching it generates a One-

time password

    • Time Password (OTP) and simulates the Enter key press. Although this feature is not currently utilized, it may be used in the future.

  2. Access Denied Warning

    • If you encounter an "Access Denied" warning while attempting to log into the server during step two, it is likely that your account has SmartcardLogonRequired set to true. In such cases, please contact your IT team for assistance.

  3. Delayed PIN Prompt

    • If you are waiting for a PIN prompt

to enter a PIN

    • for

an extended period (

    • more than 20 seconds

)

    • and it does not appear, click on the

CMD

    • PowerShell window and press Enter twice. If the issue persists, please reach out to ITS for further support.

Windows Specific

  1. Smart Cards Setting

    • Check the Smart Cards setting for a Yubico Minidriver under Device Manager on your computer. If the driver is not present and the computer is DOMAIN JOINED, restart the computer

,

    • and check again. If the driver is still missing, contact ITS for assistance.

    • If the driver is not present and the computer is NOT DOMAIN JOINED, download the driver manually from Yubico's website

(https://www.yubico.com/products/services-software/download/smart-card-drivers-tools/). Go to
and

    • extract it to a folder

. Right

    • , right-click the .inf file, and select "Install." After the driver is installed, the computer may require a restart.

  2. Certificate Validation Error

    • If you receive the error message "The client has failed to validate the domain controller certificate for _______. The following error was returned from the certificate validation process: A certificate chain could not be built to a trusted root authority." on a non-DOMAIN JOINED computer, it may mean the computer does not trust the root certificate from AD. Contact

ADTT@syr
cert

    • certificate.

macOS Specific

  1. Network Level Authentication (NLA) Issues

    • Issue: Apple computers may

not be able to use the card

    • face issues using the smartcard after setup due to Network Level Authentication (NLA). When attempting to connect to RDP,

the Mac requires

    • macOS may require a username and password before allowing the

Smartcard can

    • smartcard to be utilized,

resulting in it not

    • which can prevent the smartcard from functioning properly.

To overcome this obstacle, you can log into

    • Workaround: If you encounter this issue, one option is to use a Windows computer

(such as a

    • or virtual machine

) from your Apple computer and then use RDP from there. This approach enables the selection of

    • (VM) to connect via RDP. Once connected, you can use the Smartcard or YubiKey by selecting it from the "More Choices" option.

When using the RDP/remote client application to connect to servers, ensure that

  1. RDP Version and Smartcard Recognition

    • Ensure Compatibility: Make sure your Apple computer is running

on

    • macOS and Microsoft Remote Desktop app Version 10 or later, as newer versions offer better support for smartcards.

    • Smartcard Not Detected:

      • If your smartcard is not being recognized during RDP connection setup, first ensure that the smartcard is being recognized by macOS itself. You can use the pcsctest tool available in the Terminal.app to verify smartcard detection.

      • If macOS recognizes the smartcard but the Microsoft Remote Desktop app does not, check the "Devices & Audio" or "Redirection" settings in the app to ensure that smartcard redirection is enabled. Reconnect to the session and try again.

  2. First-Time Configuration Issues

    • Smartcard Not Appearing: If the Smartcard does not appear as an option when configuring it for the first time using the remote client application (assuming it is version 10+), it

is likely

    • may indicate that the connection does not support Smartcards.

To address this issue, exit

      • Fix: Exit the connection, right-click on it in the

RDP

      • Microsoft Remote Desktop client application, select "Edit," navigate to the

devices

      • Devices tab, and ensure that "Smart Card" is checked. Reconnect to the session and try again.

      • Driver Consideration: Unlike Windows, macOS typically does not require additional drivers for most smartcards, including YubiKeys. However, keeping your system and Microsoft Remote Desktop app up-to-date is crucial for ensuring proper functionality.

If issues persist, consider reaching out to ITS for further support or explore additional troubleshooting based on your specific environment’s configurations.