YubiKey Smart Card Deployment Considerations


Before You Begin

The YubiKey Minidriver is designed to function in a Windows Server and Client environment configured for smart card authentication. Ensuring your deployment is set up properly is a crucial element of the initial planning for the YubiKey Minidriver deployment.

System Requirements

Before performing the steps in this document, be sure your environment meets these requirements:

  • The YubiKey Minidriver cannot be used simultaneously with the YubiKey Manager for provisioning user Windows credentials. If your environment utilizes the YubiKey Manager, the YubiKey Minidriver with native Windows components cannot be used to enroll certs. Certificates loaded with YubiKey Manager or PIV Tool can be used with the Minidriver.

  • For servers, supported versions are Microsoft Windows Server 2012 R2 or later (the examples shown are from Windows Server 2016). 

    • For clients, install Microsoft Windows 8/8.1 or later (for YubiKeys to log in to Windows) 

    • NOTE: Windows 10 (version 1607) users are no longer offically supported on Windows Server 2008 R2. Be sure you have moved these users to Windows Server 2012 R2 or later. For more information about compatibility, see the following table.

Windows Server Compatibility


Server 2012 R2
Server 2016
Server 2019
YubiKey 4/5
Compatible
Compatible
Compatible

Windows Desktop Compatibility


Windows 8 / 8.1
Windows 10+
Server 2012 R2
Compatible
Compatible
Server 2016
Compatible
Compatible
Server 2019
Compatible
Compatible
  • A Microsoft Windows Active Directory domain environment is required.

  • If you are using Remote Desktop Connection (RDP), the YubiKey Minidriver must be installed on both the source and the destination computers.

  • For Microsoft Windows Server, it is recommended to use the Microsoft Key Storage Provider instead of the older Microsoft Credential Storage Provider. 

Touching the YubiKey

This can be problematic for end-users. With some YubiKeys, it is difficult to know where the key should be touched. Sometimes the user needs to withdraw the key from the port, turn it over, and reinsert it so that the right place to touch is visible and accessible. YubiKeys rely on touch capacitive sensors, and these cannot detect a touch by a calloused finger or one with very dry skin. In that case, dampening the finger helps, or touching with a different body part. End-users should also pay attention to the YubiKey's flashing signals: often the key indicates it is ready to be touched by flashing at a particular speed. If it recognizes the touch, the flashing speed changes. If the speed does not change, this usually means that no touch has been detected, so that the user needs to try again.

Determining the Preferred Method of Enrollment

Before using the YubiKey Minidriver in implementing smart card authentication in an Active Directory domain environment, it is important to consider the method of user enrollment that you will use. 

The three options using the YubiKey are:

  • User self-enrollment: Auto-enrollment can be set up in your domain, allowing you to utilize the built-in Windows functionality to request and load login certificates.

  • Enrolling on behalf of other users: By granting enrollment agent permissions to one or more users or groups, your administrators or help desk accounts with elevated permissions can enroll certificates on behalf of other users through the Microsoft Management Console (MMC).

  • Advanced enrollment: Use the YubiKey Manager command line (CLI) tool (ykman) to write custom command line scripts or build your own deployment application. For more information, consult the YubiKey Manager CLI guide.

NOTE: User self-enrollment plus enrolling on behalf of other users can be implemented concurrently, but be sure to set up a separate certificate request template to cover each option. 

Download all documentation from the Yubico website (https://www.yubico.com/support/documentation/).

Comments

0 comments

Please sign in to leave a comment.