Program a key over RDP

Last updated Thu May 7, 2009 06:25:19 PM
Normally AuthLite keys can only be programmed when directly connected to the computer running the configuration program, not over remote desktop. There is a work around.

For normal login, and changing passwords after your account is already AuthLite Integrated, the hardware keys (yubikeys) work normally over RDP.

But two situations require special attention over RDP:

  1. When you are first setting up your user account as AuthLite Integrated, in the "change password" screen
  2. When you are using the AuthLite configuration dialog to set up extra keys or Web/VPN (split) keys

If you attempt to do one of the above procedures in an RDP session, you will receive an error that there is no key plugged in. These programs can only write to the yubikey when it is plugged in to a USB port they can see. Over an RDP session, the yubikey is not actually connected to the remote system, only its keystrokes are sent. This is good enough to use the key, but not enough to program it.

A yubikey can be programmed over RDP, but it is necessary to add software to proxy the actual USB device over the RDP session, so that the remote machine believes it is plugged in directly. Microsoft RDP/Terminal services unfortunately does not include this functionality.

We have tested and recommend the software USB Redirector RDP edition. Note that this is a different, separate product from "USB Redirector"; the "RDP" part is an important distinction, the other product won't work for this case.

Procedure to program a key over RDP:

  • Start the USB redirector client on your local system
  • Plug in the blank key to the local system
  • Select the new "USB Human Interface Device" item that appeears in the redirector interface and click "Share USB device"
  • Note that while a yubikey is "shared", it cannot be used in the normal way to enter OTP's, only to program it.
  • Log in to RDP
  • On the remote machine start the USB redirector "terminal server" portion
  • Program the key:
    • To integrate the user account, press CRTL+ALT+END to bring up the security screen and go to Change Password
    • To create extra keys or Web/VPN keys, launch and follow the appropriate AuthLite configuration dialog
  • Go back to the local machine and unshare the key. Now you can use it normally.

Note that as long as the key remains "shared", tapping the OTP button will not work. This is because the remote computer sees the shared key as a keyboard that is plugged in at the console. So, its keystrokes are not directed into your RDP session, but instead to the console session! To use the freshly programmed key, you must first unshare it from the local USB Redirector client.

Related Topics

AuthLite
Articles pertaining to the AuthLite product