YubiKey Smart Card Deployment Considerations


Before You Begin

The YubiKey Minidriver is designed to function in a Windows Server and Client environment configured for smart card authentication. Ensuring your deployment is set up properly is a crucial element of the initial planning for the YubiKey Minidriver deployment.

YubiKey Smart Card Specifications

The YubiKey is compatible with the NIST PIV Specifications (SP 800-73-4). Without the YubiKey Minidriver, Windows environments are able to read the 4 PIV-defined credentials for authentication, encryption, card authentication and digital signature. Windows cannot write credentials to the YubiKey without the Minidriver installed on both the server and client.
With the Minidriver, the YubiKey supports the following characteristics:

 

Max # of certificates

Max size of individual certificate

Max size of Certificate Chain Certificates
YubiKey 4/5 12 3052 bytes 15,260 bytes

System Requirements

Before performing the steps in this document, be sure your environment meets these requirements:

  • The YubiKey Minidriver should not be used simultaneously with the YubiKey Manager for provisioning user Windows credentials (i.e. loading certificates onto the YubiKey).

    • After enrolling a certificate using the YubiKey Smart Card Minidriver, Windows generates on the YubiKey a container map (CMAP) listing the certificates enrolled. This dictates what each certificate may be used for, such as authentication or encryption. If one uses YubiKey Manager or other tools to enroll additional certificates or delete certificates outside of Windows, this CMAP file is not updated and may become corrupted, causing the certificates to become unusable.

    • The YubiKey Manager can be used to set the PIV PIN or PUK, or change retry attempts prior to using the YubiKey Minidriver to enroll credentials.

    • If your environment already utilizes the YubiKey Manager for managing smart card credentials/certificates on YubiKeys, the YubiKey Minidriver with native Windows components should not be used to enroll certs.

    • You can still use the YubiKey Manager to manage other functions on the YubiKey if needed, such as OTP, Challenge response, FIDO2 and GPG.
  • For servers, supported versions are Microsoft Windows Server 2012 R2 or later (the examples shown are from Windows Server 2016). 

    • For clients, install Microsoft Windows 8/8.1 or later (for YubiKeys to log in to Windows) 

    • NOTE: Windows 10 (version 1607) users are no longer officially supported on Windows Server 2008 R2. Be sure you have moved these users to Windows Server 2012 R2 or later. To clarify, this refers to the version of Windows Server running on the CA, not the domain/forest functional level. For more information about compatibility, see the following table.

Windows Server Compatibility

 

Server 2016

Server 2019

Server 2022

YubiKey 4/5
Compatible
Compatible
Compatible

 

Windows Desktop Compatibility

 
Windows 7
Windows 8 / 8.1
Windows 10
Windows 11
Server 2012 R2
Compatible*
Compatible
Partially Compatible** Not Supported
Server 2016
Compatible*
Compatible
Compatible
Compatible
Server 2019
Compatible*
Compatible
Compatible
Compatible
Server 2022
Compatible*
Compatible
Compatible
Compatible

* Windows 7 is no longer supported by Microsoft, and continued functionality is not guaranteed
** Windows Server 2012 R2 may not be compatible if legacy RSA encryption standards have been removed to harden Windows 10

  • A Microsoft Windows Active Directory domain environment is required.

  • If you are using Remote Desktop Connection (RDP), the YubiKey Minidriver must be installed on both the source and the destination computers.

  • For Microsoft Windows Server, it is recommended to use the Microsoft Key Storage Provider instead of the older Microsoft Credential Storage Provider.

  • Note that certificate renewal requires the YubiKey Smart Card Minidriver, as Windows' built-in (inbox) minidriver does not have the ability to write to third-party smart cards (like the YubiKey).

Touching the YubiKey

This can be problematic for end-users. With some YubiKeys, it is difficult to know where the key should be touched. Sometimes the user needs to withdraw the key from the port, turn it over, and reinsert it so that the right place to touch is visible and accessible. YubiKeys rely on touch capacitive sensors, and these cannot detect a touch by a calloused finger or one with very dry skin. In that case, dampening the finger helps, or touching with a different body part. End-users should also pay attention to the YubiKey's flashing signals: often the key indicates it is ready to be touched by flashing at a particular speed. If it recognizes the touch, the flashing speed changes. If the speed does not change, this usually means that no touch has been detected, so that the user needs to try again.

Determining the Preferred Method of Enrollment

Before using the YubiKey Minidriver in implementing smart card authentication in an Active Directory domain environment, it is important to consider the method of user enrollment that you will use. 

The three options using the YubiKey are:

  • User self-enrollment: Auto-enrollment can be set up in your domain, allowing you to utilize the built-in Windows functionality to request and load login certificates.

  • Enrolling on behalf of other users: By granting enrollment agent permissions to one or more users or groups, your administrators or help desk accounts with elevated permissions can enroll certificates on behalf of other users through the Microsoft Management Console (MMC).

  • Advanced enrollment: Use the YubiKey Manager command line (CLI) tool (ykman) to write custom command line scripts or build your own deployment application. For more information, consult the YubiKey Manager CLI guide.

NOTE: User self-enrollment plus enrolling on behalf of other users can be implemented concurrently, but be sure to set up a separate certificate request template to cover each option. 

PIN and Touch Behavior

It is important to understand that the YubiKey Minidriver extends but does not replace the native Windows Smart Card behavior. This is especially evident when it comes to users supplying the PIN.
Windows is built to ask for a PIN when starting an operation using a credential stored on a smart card, regardless if the PIN Policy on the credential requires a PIN to be supplied or not. Further, Windows will cache a valid PIN per process per logon ID (PinCacheNormal); this means a process can re-use a PIN without prompting the user, but once the process ends, or if a new process is started in parallel, the user must supply the PIN again. Due to these behaviors on Windows, the PIN policy defined on the YubiKey is often not enforced as expected.
However, Windows does not override the Touch policy on a credential stored on a YubiKey; the requirements to touch the YubiKey to permit requested operations will be enforced as defined when the credential is generated.

 

Next: Setting up Windows Server for YubiKey PIV Authentication