YubiKey’s are low cost authentication tokens which can operate as personal identity verification (PIV) smartcards for Windows authentication.
This post provides a quick guide to configuring a Windows 2012 domain to authenticate using a Yubikey instead of a standard password.
Driver Installation
Download and install the YubiKey driver on all systems which will be using 2FA:
https://www.yubico.com/products/services-software/download/smart-card-drivers-tools/
Unpack the cab file using the expand command:
expand YubiKey-Minidriver-4.0.0.162.cab -F:* C:\ykmd
Microsoft (R) File Expansion Utility
Copyright (c) Microsoft Corporation. All rights reserved.
Adding C:\ykmd\README.txt to Extraction Queue
Adding C:\ykmd\ykmd.cat to Extraction Queue
Adding C:\ykmd\ykmd.dll to Extraction Queue
Adding C:\ykmd\ykmd.inf to Extraction Queue
Adding C:\ykmd\ykmd64.dll to Extraction Queue
(Right click on the C:\ykmd\ykmd.inf and select install)
Create a Smart Card Certification Template
Open certtmpl.msc on the server.
Find the SmartCard Login template, and select duplicate. Set the new name to “YubiKey”.
On the “Security” tab make sure users who will be using smart card authentication have permissions:
![asoss](http://www.bordergate.co.uk/wp-content/uploads/2019/01/asoss.png)
Change the options as below:
![~ S St..JO!StJaE
$ 2d0 &](http://www.bordergate.co.uk/wp-content/uploads/2019/01/s-st-jostjae-dollar-2d0-and.png)
![~ S St.JO!StJ9E
$ •dold KayqnÅ](http://www.bordergate.co.uk/wp-content/uploads/2019/01/s-st-jostj9e-dollar-dold-kayqna.png)
![0
3 00 ed WRh - - C 0 used
fo 一 9 二 * c 一 isenr and onv eke.'
、 camot be created
For , w 凹 ofsm c dc , 一 1 , - , e ngkeyfa
YubiKey P69e4
Sea-ety S ~](http://www.bordergate.co.uk/wp-content/uploads/2019/01/0-3-00-ed-wrh-c-0-used-fo-9-c-isenr.png)
![G 骘 , CU Re H , k 一
C)Rewe 5 《 , 一 u 0 冖 ~ $ 84e , , 1 como ,
「 hwse hco ~ CWO d , 5C4 u dfo ; eque ,
肙 narce
ProviderCxewy
C w e ccageP 「 , &
~ bCtOSOftS 一 & 一 【 C dK 、 y Pro &
5 , d T , 一 431 ,
YubiKey Pro erties
Is»ance •r , 一](http://www.bordergate.co.uk/wp-content/uploads/2019/01/g-cu-re-h-k-crewe-5-u-0-dollar-84e.png)
Add the created Certification Template to the CA
- Open certsrv.msc
- Select Certification Templates
- Right click in a blank area on the right side and select “New” > “Certificate Template to issue”
- Select the “YubiKey” template and click OK.
Active Directory Auto Enrollment Configuration
Create a new GPO called YubiKey and configure the following options:
![Set ir.
ay -
Policy
Automatic centficate management
Option
Enrull new certtficates.
centficates
expired certficates, process pending certficate requests and removerevoked
Update and manage centficates that use certficate templates frum Active Directoy
Set ir.
ay -
Policy
Automatic centficate management
Option
Enrull new certtficates.
centficates
expired certficates, process pending certtficate requests and removerevoked
Llpdate and manage centficates that use certficate templates fn)m Active Directoy
Log expiy events and for user policy onty show expiry notfications when the pecentage of remaining
certtficate Itfetime is
Addttional stores to log expiy events
Display user notfications for expiñng centficates in user and computer MY store
Set ing
Enabled
Setting
Enabled
Enabled
Set ing
Enabled
Setting
Enabled
Enabled
Disabled](http://www.bordergate.co.uk/wp-content/uploads/2019/01/set-ir-ay-policy-automatic-centficate-manage.png)
Ensure the GPO is applied to users who will be using smart card authentication.
Client Configuration
Force the client to apply the group policy changes:
gpupdate /force
Verify the registry changes have been made:
reg query "HKLM\Software\Policies\Microsoft\Cryptography\AutoEnrollment"
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography\AutoEnrollment
AEPolicy REG_DWORD 0x7
OfflineExpirationPercent REG_DWORD 0xa
OfflineExpirationStoreNames REG_SZ MY
reg query "HKCU\Software\Policies\Microsoft\Cryptography\AutoEnrollment"
HKEY_CURRENT_USER\Software\Policies\Microsoft\Cryptography\AutoEnrollment
AEPolicy REG_DWORD 0x7
OfflineExpirationPercent REG_DWORD 0xa
OfflineExpirationStoreNames REG_SZ MY
The AEPolicy key should be set to 0x7 in both instances.
After applying the settings, Windows should prompt for certificate Enrollment:
![Certificate Enrollment
Before You Begin
The following steps will help you install certificates, which are digital credentials used to
connect to wireless networks, protect content, establish identity, and do other
security related tasks.
Before requesting a certificate, verify the following:
Your computer is connected to the network
You have credentials that can be used to verify your right to obtain the certificate
Cancel](http://www.bordergate.co.uk/wp-content/uploads/2019/01/certificate-enrollment-before-you-begin-the-foll.png)
![Certificate Enrollment
Request Certificates
The following certificates are available. Click 'Enroll' to start enrollment.
Active Directory Enrollment Policy
YubiKey
STATUS: Enrollment required
Enroll
Cancel](http://www.bordergate.co.uk/wp-content/uploads/2019/01/certificate-enrollment-request-certificates-the.png)
![Certificate Enrollment
Certificate Installation Results
The following certificates have been enrolled and installed on this computer.
Active Directory Enrollment Policy
YubiKey
STATUS: Succeeded
Finish](http://www.bordergate.co.uk/wp-content/uploads/2019/01/certificate-enrollment-certificate-installation-r.png)
Go to the certificates MMC on the system and ensure the certificate is listed. In active directory users and groups, set smart card required for interactive login:
![6 ー 0 こ 和 新 q ・ 」 を 一
当 や し 」 20 pue 2 u お 第 製 n000 引 」
32 印 上 」 「 に 2 」 第 p 。 み
p 等 ド を 製 「 0 コ 0 コ
5 興 カ ー 第 90](http://www.bordergate.co.uk/wp-content/uploads/2019/01/6-0-q-20-pue-2-u-n0.png)
When the user logs back in, they should now be prompted for the SmartCard PIN to authenticate to the domain.