Program a key over RDP

Last updated Wed Jul 13, 2011 10:27:48 PM
Normally AuthLite keys can only be programmed when directly connected to the computer running the configuration program, not over remote desktop. There is a work around.

Overview

For normal login, and changing passwords after your account is already AuthLite Integrated, the hardware keys (yubikeys) work normally over RDP.

But two situations require special attention over RDP:

  1. When you are first setting up your user account as AuthLite Integrated, in the "change password" screen
  2. When you are using the AuthLite configuration dialog to set up extra keys or Web/VPN (split) keys

If you attempt to do one of the above procedures in an RDP session, you will receive an error that there is no key plugged in. These programs can only write to the yubikey when it is plugged in to a USB port they can see. Over an RDP session, the yubikey is not actually connected to the remote system, only its keystrokes are sent. This is good enough to use the key, but not enough to program it.

Solution 1: Proxy the USB connection over RDP

A yubikey can be programmed over RDP, but it is necessary to add software to proxy the actual USB device over the RDP session, so that the remote machine believes it is plugged in directly. Microsoft RDP/Terminal services unfortunately does not include this functionality.

We have tested and recommend the software USB Redirector RDP edition. Note that this is a different, separate product from "USB Redirector"; the "RDP" part is an important distinction, the other product won't work for this case.

Procedure to program a key over RDP:

  • Start the USB redirector client on your local system
  • Plug in the blank key to the local system
  • Select the new "USB Human Interface Device" item that appeears in the redirector interface and click "Share USB device"
  • Note that while a yubikey is "shared", it cannot be used in the normal way to enter OTP's, only to program it.
  • Log in to RDP
  • On the remote machine start the USB redirector "terminal server" portion
  • Program the key:
    • To integrate the user account, press CRTL+ALT+END to bring up the security screen and go to Change Password
    • To create extra keys or Web/VPN keys, launch and follow the appropriate AuthLite configuration dialog
  • Go back to the local machine and unshare the key. Now you can use it normally.

Note that as long as the key remains "shared", tapping the OTP button will not work. This is because the remote computer sees the shared key as a keyboard that is plugged in at the console. So, its keystrokes are not directed into your RDP session, but instead to the console session! To use the freshly programmed key, you must first unshare it from the local USB Redirector client.

Solution 2: Program the key with YkMultiConfig and import

Note: This solution requires AuthLite version 1.3 or higher. At the time of this article, v1.3 is in beta.

This solution is particularly suited for administrators to pre-program a quantity of keys and then distribute them to users. You can obtain the YkMultiConfig program from this link. A full discussion of the setup and use of this tool is beyond the scope of this article. Please see the video and instructions included here Yubico's Developer "Personalization" page

Programming/Import Procedure:

  1. Get YkMultiConfig on your local workstation. The AuthLite software does not need to be installed here.
  2. In YkMultiConfig, bind one or more USB ports, and choose an output .csv file. In the settings, select "AuthLite Compatible" as the programming option.
  3. Run the tool on all the keys you want to program.
  4. On a DC, open the AuthLite Data Manager and import the xml file via the File->Import CSV menu item.
  5. You do NOT need to select the option to import private data (if shown)

Now all the data for the keys has been added. The procedure to integrate a new user with a pre-programmed key is slightly different than for a blank key.

Steps the user performs:

  1. Plug in the (already programmed) key to a USB port on your RDP client machine.
  2. In the RDP session, press ctrl-alt-end to bring up the security screen, and go to Change Password.
  3. Instead of typing the username, tap the AuthLite key into the first field.
  4. Fill out the old and new password fields.
  5. Select the checkbox "Use AuthLite with this account"
  6. Click OK.
  7. The key will now become associated to that user, and their account will be integrated with AuthLite.

Related Topics

AuthLite
Articles pertaining to the AuthLite product