YubiKey Smart Card Deployment Guide


Introduction

Yubico changes the game for strong authentication, providing superior security with unmatched ease-of-use. Our core invention, the YubiKey, is a small USB and NFC device supporting multiple authentication and cryptographic protocols. With a simple touch, it protects access to computers, networks, and online services for the world’s largest organizations.

PIV and YubiKeys

The YubiKey 5 Series devices, YubiKey 4 Series devices, and the YubiKey FIPS Series devices all support the Personal Identity and Verification Card (PIV) interface specified in the National Institute of Standards and Technology (NIST), SP 800-73-4 document, Interfaces for Personal Identity Verification. Microsoft Windows supports traditional PIV smart cards for user authentication, allowing the YubiKey to be utilized as a strong authentication solution.

The YubiKey Minidriver extends the support of the YubiKey on Windows from just authentication to allowing Windows to load and directly manage certificates on it. This allows for an easy to use, easy to deploy scalable implementation of strong multi-factor authentication across an entire organization utilizing the native Windows tools and the YubiKey.

PIV Deployment

This document covers the basic steps required to set up an Active Directory domain environment for smart card authentication, including considerations before provisioning YubiKeys for smart card login. We recommend that a qualified domain administrator be in charge of the process and that you use these instructions as a guideline for deployment. Rather than cover the complexities inherent in a corporate environment (for example, an Enterprise Root Certification Authority, multiple Subordinate Certificate Authorities, Certificate Revocation Lists, and so on), these instructions cover only the basic topics.

 

YubiKey Smart Card & Minidriver Deployment Guides

YubiKey Minidriver Features
Overview of the features and functions the YubiKey Minidriver adds to the native Windows Smart Card framework.

YubiKey Smart Card Deployment Considerations
YubiKey Minidriver environmental and system requirements and compatibility, as well as items to consider prior to setup.

Setting up Windows Server for YubiKey PIV Authentication
Configuring Windows Server for Smart Card Authentication using the YubiKey.

Smart Card Login for User Self-Enrollment
Steps on setting up Windows Server to allow users to enroll their own YubiKeys as smart cards directly.

Smart Card Login for Enroll on Behalf of
Steps on setting up Windows Server to allow IT admins, help desk staff or others to enroll YubiKeys on behalf of other users.

Smart Card Deployment: Manually Importing User Certificates
Instructions on importing User certificates created on a different server.

Deploying the YubiKey Minidriver to Workstations and Servers
How to deploy the YubiKey Minidriver to endpoints and servers.

YubiKey PIN and PUK User Management
How users and administrators can set or change the PIN and PIN Unlock Key (PUK)

Smart Card Basic Troubleshooting
Basic troubleshooting for the YubiKey as a PIV Smart Card with Windows.

 

Getting Additional Help

For more information, and to get help with your YubiKeys, see:

TIP: When filing a ticket, to assist in diagnosing issues, we recommend that you include a log file containing the issue observed. To enable the debug log file, add the following registry key. Log files will be created for each running process in C:\Logs. Key: HKLM\Software\Yubico\ykmd  Value: DebugOn (DWORD) - to enable logging set value to 1.

Yubico Support is limited to addressing issues regarding the direct use of YubiKeys with a deployed Windows Active Directory Certificate Services. Issues falling outside of this responsibility include but are not limited to inaccessible CRL, domain trust issues, expired server certificates, cached credentials, Kerberos ticket issues and other features outside of Smart Card authentication and issuance.

manual-icon.svg Note:
The YubiKey Bio Multi-protocol Edition supports using fingerprint 
verification in lieu of the PIN when performing cryptographic operations. 
In the case of PIV smart card however, to provide users with this fingerprint
option, client software or middleware is required. Yubico has implemented
support for this in the Yubico Minidriver from version 4.6.1. If users
attempt to use PIV smart card on the YubiKey Bio Multi-protocol Edition
without supporting middleware, they will encounter limitations.

In scenarios where supporting middleware is not available or not utilized,
users can still access the PIV application on the YubiKey Bio Multi-protocol
Edition. However, they will not have the option to utilize fingerprint
authentication for cryptographic operations. Instead, they will need to rely
on traditional methods such as entering a PIN.

While users can still access the PIV application and perform cryptographic
operations, they miss out on the convenience and potentially enhanced
security offered by biometric authentication. Without the fingerprint
option, users may need to rely on the PIN.