Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 88 Next »

Prerequisites

Smartcard Setup

  • If a YubiKey is being reused, be sure it is factory reset and ensure the default PIN is returned to 123456

C- Account Request

  • DSP for the department or unit must initiate the process by emailing ADTT with the c- account request.
  • The email should include any necessary SUPER permissions and the appropriate DAG number(s).

Setup Appointment

  • Once the c- account is created, permissions have been added, and the smartcard provided to the end user, they should Schedule a Smartcard Setup appointment to have the required certificates installed on the YubiKey

Table of Contents


It is important to keep your YubiKey or Smartcard secure and prevent unauthorized access. Do not share your PIN or allow anyone else to use your YubiKey or Smartcard. If you suspect that your YubiKey or Smartcard has been lost, stolen, or compromised in any way, contact IT support immediately.

Be aware that YubiKeys have a limit of 10 attempts for entering a PIN before they automatically lock. If your YubiKey locks, it will need to be reset, reach out to your IT support personnel for assistance. Once reset, Schedule a Smartcard Setup.

Steps for a New Smartcard Setup

Using an AD managed Windows computer:

  1. Use RDP (Remote Desktop Connection) to connect to the server smartcard.syr.edu

  2. When prompted for Logon, select "More choices" and log in as a different account.
    1. Use the username: c-netid (example: c-testuser or AD\c-testuser) and the password provided by the ADTT member walking through the setup steps.

  3. On the desktop of the server find the "Setup Smartcard" icon in the upper left and double click on it. A PowerShell window will launch, and the program will begin.
    1. If not already inserted, plug the YubiKey into a USB port on the computer.

  4. The process is now underway and can take a few moments.

  5. When prompted for a PIN: 
    1. Enter the default PIN 123456

  6. Shortly after, you will be prompted to reenter the same PIN in order to add the root certificate, enhancing the versatility of your YubiKey. 

  7.  When the program states "press Enter to exit", you can sign out of the RDP session by following these steps:
    1. Go to the Start Menu, click on the silhouette of a person located just above the Start Menu, and select the Sign Out option.

  8. After completing the process, direct login to any server using only the username and password, as done in step 2, will no longer be possible. Instead, you will be required to utilize the Smartcard and its associated PIN. 

    1. You will need to establish a PIN that consists of exactly eight characters. This can be accomplished by accessing the Security Option Window on a Windows machine via "ctrl + alt + delete".

  9. Remove and Reinsert the YubiKey in the USB port before trying to use it.
    1. If you just renewed your smartcard, you might need to reboot your system before the Kerberos protocol can utilize the smartcard subsystem.

Video Tutorial



Please note that the terms "Smartcard" and "YubiKey" are used interchangeably.

 

YubiKey's for Non-ITS Staff, faculty, and/or vendors

  • The IT unit that manages the YubiKey end user should order the YubiKey or receive it from the user if they are providing their own.

  • The IT unit can then complete the setup of the YubiKey on behalf of the user by contacting ADTT@syr.edu

  • After the card is setup, it can be given, or mailed, to the user with instructions on how to set the PIN.

Setup and Reset Requests for Non-ITS users

  1. If the request is to setup a new card:

    1. The DSP should have the physical card with them

    2. Use the following link to reserve a time with an ADTT team member: Smartcard Setup

      1. (Optional) After the account is created and the card is setup, the DSP can add the c- account to whatever groups the user may need
    3. The DSP can deliver the card to the user, please verify the actual user receives the card, and explain how to change the PIN (Change Smartcard PIN

  2. If the request is to reset a smartcard:
    1. The DSP can collect the card from the user, reset the card (Reset YubiKey / Smartcard To University Defaults), and reserve a time with ADTT here:  Smartcard Setup
    2. ADTT will assist in resetting the card just like the steps above.

Changing the PIN on the Smartcard

If the YubiKey is still using the default PIN of 123456, it will need to be changed before the end user can access Syracuse University resources. Instructions for changing the pin on your Smartcard are found here: https://su-jsm.atlassian.net/wiki/x/SAJECQ

Steps for Smartcard Renewal

Setup a Smartcard / YubiKey#Renewal

10 days prior to certificate expiration, an email will be sent to the mailbox of the C- account that requires renewal. After receiving the email, follow the steps below to renew your smartcard without ADTT assistance.

Using a AD managed Windows computer:

  1. Use RDP (Remote Desktop Connection) to connect to the server smartcard.syr.edu

  2. When prompted for Logon, 
    1. Use your current YubiKey and current PIN to log onto the server.

  3. On the desktop of the server find the "Setup Smartcard" icon in the upper left and double click on it. A PowerShell window will launch and the program will begin.
    1. If not already inserted, plug the YubiKey into a USB port on the computer.

  4. The process is now underway and can take a few moments.

  5. When prompted for a PIN:
    1. Use your current PIN

  6. Shortly after, you will be prompted to reenter the same PIN in order to add the root certificate, enhancing the versatility of your YubiKey. 

  7.  When the program states "press Enter to exit", you can sign out of the RDP session by following these steps:
    1. Go to the Start Menu, click on the silhouette of a person located just above the Start Menu, and select the Sign Out option.

  8. After completing the process, direct login to any server using only the username and password, as done in step 2, will no longer be possible. Instead, you will be required to utilize the Smartcard and its associated PIN. 

    1. If you are RENEWING your YubiKey, the PIN will remain unchanged.

  9. Remove and Reinsert the YubiKey in the USB port before trying to use it.
    1. If you just renewed your smartcard, you might need to reboot your system before the Kerberos protocol can utilize the smartcard subsystem.

Troubleshooting

General

  1. Ensure that the YubiKey is properly inserted into the USB port. If you are using a USB-A style YubiKey, it can be inserted in either orientation. When inserted correctly, the "y" on the card will flash green.

  2. The gold medallion on the YubiKey functions as a touch button. Pressing or touching it generates a One-time password (OTP) and simulates the Enter key press. Although this feature is not currently utilized, it may be used in the future.

  3. If you encounter an "Access Denied" warning while attempting to log into the server during step two, it is likely that your account has SmartcardLogonRequired set to true. In such cases, please contact your IT team for assistance.

  4. If you are waiting for a prompt to enter a PIN for an extended period (more than 20 seconds) and it does not appear, click on the CMD window and press Enter twice. If the issue persists, please reach out to ITS for further support.

Windows Specific

  1. Check the Smart Cards setting for a Yubico Minidriver under Device Manager on your computer. If the driver is not present and the computer is DOMAIN JOINED, restart the computer, and check again. If the driver is still missing, contact ITS for assistance.

  2. If the driver is not present and the computer is NOT DOMAIN JOINED, download the driver manually from Yubico's website (https://www.yubico.com/products/services-software/download/smart-card-drivers-tools/). Go to yubico.com > Support > Downloads, find the CAB download for the Yubico mini-driver, and extract it to a folder. Right-click the .inf file and select "Install." After the driver is installed, the computer may require a restart.

  3. If you receive the error message "The client has failed to validate the domain controller certificate for _______. The following error was returned from the certificate validation process: A certificate chain could not be built to a trusted root authority." on a non-DOMAIN JOINED computer, it may mean the computer does not trust the root certificate from AD. Contact ADTT@syr.edu for assistance with trusting the cert.

macOS Specific

  1. Apple computers may not be able to use the card after setup due to NLA. When attempting to connect to RDP, the Mac requires a username and password before the Smartcard can be utilized, resulting in it not functioning properly. To overcome this obstacle, you can log into a Windows computer (such as a virtual machine) from your Apple computer and then use RDP from there. This approach enables the selection of the Smartcard or YubiKey from the "More Choices" option.

  2. When using the RDP/remote client application to connect to servers, ensure that your Apple computer is running on Version 10 or later.

  3. If the Smartcard does not appear as an option when configuring it for the first time using the remote client application (assuming it is version 10+), it is likely that the connection does not support Smartcards. To address this issue, exit the connection, right-click on it in the RDP client application, select "Edit," navigate to the devices tab, and ensure that "Smart Card" is checked. Reconnect to the session and try again.

  • No labels
Unknown macro: {ivy-ai}