Title
Create new category
Edit page index title
Edit category
Edit link
Setup for Yubikey smart card for user authentication
The purpose of this guide is to demonstrate the process of setting up a smart card for authentication in MetaDefender Kiosk. In this example, we use a Yubikey smart card. Please note that this guide is for reference only, for the most accurate instructions, refer to the setup documentation provided by your smart card providers.
Smart card authentication requires proper setup and configurations on Domain Controllers, Active Directory and Kiosk.
Root Certificate Authority (CA) certificate must be created
Domain Controllers must be configured and trust the root CA certificate
Kiosk host machine must join the domain
The instruction bellow assumes requirements mentioned above have been met. Configuring these requirements are out of the scope of this document.
Kiosk 4.7.2 or later should support all ISO 7816-compliant microprocessor-based and FIPS 201 standard smart cards such as PIV smart card.
If Further Assistance is required, please proceed to log a support case or chat with our support engineer.
1. Certificate Template configuration
Step 1. Open Certificate Template
Press Win + R, type mmc, and open it with Administrator permissions

In the MMC window, select File, select Add/Remove Snap-in. From the list, select Certificate Template and click Add. Then, click OK.

Step 2. Duplicate two highlighted certificate templates (Enrollment Agent and Smartcard Logon) to create your own Smartcard certificate Template.

Right-click on each of these templates. Select Duplicate Template.

Step 3. Setup for Enrollment Agent template
Go to General tab:
Change Template display name to <domain-name> Enrollment Agent. e.g Yubikey
Set Validity period to 2 years
Set Renewal period to 6 weeks
Enable Publish certificate in Active Directory
Enable Do not automatically reenroll if a duplicate certificate exists in Active Directory

Go to Security tab
Add Read, Write and Enroll permissions to Authenticated Users

Click OK to duplicate the template
Step 4. Setup for Smartcard Logon template
Duplicate Smartcard Logon template
Go to Cryptography tab
Set the following values
Provider Category to Key Storage Provider
Algorithm name to ECDH_P256
Minimum key size to 256
Select Requests must use one of the following providers, and enable Microsoft Smart Card Key Storage Provider

Go to Subject Name tab
Select Build from this Active Directory information. Under Subject name format, select Fully distinguished name and enable User principal name (UPN)

Go to Issuance Requirements tab
Enable This number of authorized signatures, and set value of 1
Under Policy type required in signature, select Application policy
Under Application policy, select Certificate Request Agent

Go to Request Handling tab
Under purpose, select Signature and encryption, and enable For automatic renewal of smart card certificates, use the existing key if a new key cannot be created
Select Prompt the user during enrollment

Click OK to duplicate the template
2. Enrollment Agent certificate
Step 1. Open Certificate Manager
Press Win + R, type certmgr.msc, and open it with Administrator permissions
Step 2. Request new certificate
Under Certificate Manager, right-click on Personal, select All Tasks, select Request New Certificate

in Certificate Enrollment Policy, select Next to continue

Select <domain-name> Enrollment Agent created in previous steps, click on Properties

Provide a friendly name for this certificate, click Apply, then click OK

Click Finish to end the process

A new Enrollment Agent certificate is now created and shown under Certificate section.

3. User Enrollment
Step 1. Open Certificate Manager
Press Win + R, type certmgr.msc, and open it with Administrator permissions
Step 2. Enroll Users
In Certificate Manager, Right-click on Personal, Select All Tasks, Select Advanced Operations, Select Enroll on Behalf of...

Keep default settings and click Next until Select Enrollment Agent Certificate. Click Browse. Select a certificate for Enrollment Agent



Select <domain-name> Smartcard template created from previous steps. Click Next

Click Browse and select the user to enroll it to smart card. Click Enroll to finish the process

Insert the Yubikey to the computer
Enter the PIN and click OK
Wait for the enrollment to finish and click Close to exit, or click Next user to enroll another user

When multiple users were enrolled to the smart card, Kiosk will only grant access to the most recent enrolled user.
4. Install Smart Card Reader driver on the Kiosk machine
On the Kiosk machine, it is essential to install the appropriate drivers for your smart card Reader
Go to the provider website to download the driver required for your Kiosk machine Smart Card Drivers and Tools | Yubico
Please follow the provider's instruction to install the driver properly.

5. Enable smart card detection on Kiosk configuration
From Kiosk Management Console, navigate to Workflows, click on Set Default Login Method. Select MetaDefender kiosk Authentication, select Remote Active Directory, check Enable smart card authentication.
To use smart card authentication, Active Directory must be enabled and configured.



