Yubikey authenticate via OpenOTP to 2012 AD using windows logon or Remote Desktop
446 views
Skip to first unread message
Douglas Kuo
Nov 20, 2014, 8:06:34 PM11/20/14
to rcdevs-t...@googlegroups.com
Hi,
Our company is testing using Yubikey to authenticate to 2012 AD. Yubico pointed us to RCDevs and I have installed OpentOTP Virtual appliance and not sure what to do next. My questions are
1- How do I test yubikey with OpenOTP server? The direction on previous post is not clear.
2- Where do I maintain user/yubikey match and how test user authenticating with yubikey to OpenOTP server?
3- On to 2012AD, this is where I am not sure. How do I use yubikey via OpenOTP to 2012AD?
Appreciate any help,
Douglas
Administrators
Nov 21, 2014, 9:34:07 AM11/21/14
to rcdevs-t...@googlegroups.com
Several points here:
1) Yubikey(s) must be enroled with a LDAP user to be usable in OpenOTP.
You have several methods to enrol a yubikey with a user.
Let's try this:
- Use the Yubico Personalization Tool from Yubico to re-program your Yubikey(s).
- Plug your yubikey
- In the tool - in "logging" Settings, set "Log Configuration" output to "Yubico format" (this will produce a CSV file after re-programming the Yubikey).
- Go to Yubico OTP, choose "Advanced", check "Configuration Slot 1", and click the 3 "Generate" buttons.
- Click "Write Configuration" (you now have a Yubico CSV file).
- In the tool - in "logging" Settings, set "Log Configuration" output to "Yubico format" (this will produce a CSV file after re-programming the Yubikey).
- Go to Yubico OTP, choose "Advanced", check "Configuration Slot 1", and click the 3 "Generate" buttons.
- Click "Write Configuration" (you now have a Yubico CSV file).
Next step is to convert this CSV to a WebADM/OpenOTP Token Inventory file:
Copy the CSV in the VM and use the tool /opt/webadm/websrvs/openotp/bin/yubi2inv
Usage: ./yubi2inv <the-yubikey-file.csv> > inventory.csv
Usage: ./yubi2inv <the-yubikey-file.csv> > inventory.csv
Then go in WebADM as Admin and go to Database Menu -> Inventory.
Import the WebADM Inventory file (ie. inventory.csv).
Now you can edit an Activated user in WebADM and under the "OTP Server" Actions, choose "Register Token".
Choose Yubikey and just press the plugged Yubikey to enrol it on the selected user.
There are Self-Services too to let the user do it himself.
2) The "Register Token" action copies the Inventoried data in the user metadata (ie. in the WebADM user data).
2) The "Register Token" action copies the Inventoried data in the user metadata (ie. in the WebADM user data).
The Yubikey is now active for the user. If you set OpenOTP or the user settings with "Login Mode" = LDAPOTP or OTP and OTP Type = TOKEN,
then the yubikey can be used for login.
3) Integration is too wide to explain in short.
then the yubikey can be used for login.
3) Integration is too wide to explain in short.
You should contact RCDEVS support team to help you with your specific integration and requirements.
Douglas Kuo
Nov 25, 2014, 8:47:55 PM11/25/14
to rcdevs-t...@googlegroups.com
Hi,
Thank you for the reply. I will give a try. Also, is there a way to integrate 2 factor authentication directly into AD?
thanks,
Douglas
Reply all
Reply to author
Forward
0 new messages