iKey Authentication - Installation

Software Installation and Testing with the JointVPN

[Nov 23, 2009 14:09] Web access to Microsoft Live@edu accounts now works.

The iKey Hardware Token distribution and installation process involves an LSP installing the software, assisting with the initial iKey password change, and assisting with the initial iKey test. LSPs may request an iKey software CD from secnet-info@virginia.edu. All iKey users must complete the first five sections below. If you will be using your hardware token with a JointVPN service, you will also need to complete the remaining sections. LSPs who are using their tokens only for Network Tools access will need to complete the first five sections.

  1. Install the UVa High Assurance Root certificate.
  2. Install the Intermediate CA Certificate.
  3. Install the iKey software.
  4. Set your iKey passphrase (password).
  5. Test your iKey hardware token.
  6. Install the VPN client software and configure for use with the JointVPN.
  7. Use the JointVPN with your iKey hardware token.

1. Install the UVa High Assurance Root Certificate.

  1. Click here to start the installation process.
  2. Open the High Assurance Root certificate. Note: As you go through steps 2 and 3, be careful first to select the Open button on the download screen, and then to use the Install button to start the certificate installation process. A common mistake is to select the OK button instead of the Install button in step 3 below.

    File download: open file or save it to your computer. Should select open.

  3. Click Install Certificate to begin the installation process.

    Certificate Information: Select Install Certificate.

  4. Click Next to start the Certificate Import Wizard.

    The Certificate Import Wizard: Click Next.

  5. Choose the Certificate Store by selecting the first radio button, and click Next.

    The Certificate Import Wizard Certificate Store: Select the first radio button and click next.

  6. Click Finish to close out the Import Wizard.

    The Certificate Import Wizard Import Completion: You have successfully completed the certificate import. Click finish.

  7. Click Yes to add the certificate to the Root Certificate Store

    Root Certificate Store: Do you want to add the following certificate to the root store? Click yes.

2. Install the Intermediate CA Certificate.

Click here to install the Intermediate CA certificate. Follow the same process as above noting especially steps 2 and 3. There will be fewer pop-up boxes to complete in this installation.

3. Install the iKey Software.

Before You Begin

  • Do not insert your iKey into a USB port at this time. The software installation program will prompt you at the proper time to insert your iKey token.
  • First make sure that you are logged into Windows as Administrator or logged in with an account that has Administrator privileges.
  • Exit from any running programs.

Installation Steps

  1. Browse to the folder containing the UVa ITC customized iKey software package and double-click the setup icon.

    Setup icon

  2. Click Next to begin the software installation process.

    Welcome to the iKey 2000 Series software. Please close all applications and click Next to continue.

  3. Once you are satisfied with the terms of the license agreement, click Yes to continue.

    license agreement - click Yes to continue

  4. Please do not change the default software installation location. If you install the software in another place, it will be nearly impossible for ITC to assist with any problems you might encounter. Click Next to continue with the installation.

    choose destination location - click Next to accept the default

  5. Click Next to begin copying files to your hard drive.

    Click Next to begin copying files to your hard drive

  6. Towards the end of the software installation process, you will be prompted to insert your iKey token, as illustrated here. Do not take this step before the prompt appears. Insert your token into a USB slot on your PC.

    When prompted, insert your iKey token into a USB slot on your PC

  7. The initial phase of the installation is now complete. Click Finish to restart your computer, and remove your iKey hardware token while the system is restarting.

    Important: the software installation process will continue and complete after your system restarts. Since the software installation will finish when you login, you must login after this first restart as Administrator or using an account with Administrator privileges. Once the installation completes, you can log back into the system using your normal user account.

    Click Finish to close out the installation wizard and restart your computer

  8. Important: ITC recommends that you allow Windows Update to install a new version of the iKey driver. This is especially true if you you are experiencing any problems with the computer. Run Windows Update and select the Custom Install option. Under Select Optional Hardware Updates you will find a new iKey driver. You should have Windows Update download and install this new driver. The newer driver has resolved problems for some users on some machines, and there are no known reports of it causing problems. ITC recommends that you install the updated driver from Windows Update as soon as you are able.

4. Set Your iKey Passphrase.

  1. Required: You must have the default password for your iKey hardware token. This password was provided to you along with your iKey.

    Insert your token into the USB interface and wait a few seconds.

  2. Open the iKey PassPhrase Utility: From the Windows Start menu select Programs, Rainbow Technologies, iKey 2000 Series Software, PassPhrase Utility.

    iKey Passphrase Utility menus

  3. When the Password Utility opens, click Update Password.

    iKey Password Utility - initial dialog box. Click Update Password.

  4. In the Update Token Password dialog, enter the default password you were given with your iKey as the old password. Then enter and re-enter a new password for your hardware token. Click OK.

    Warning: If you enter the old password incorrectly ten times, the token will shut down permanently. In that event, you will have to return your token to ITC and have it reprogrammed with new credentials.

    Update Token Password dialog box

  5. Click OK once again to close the password utility. You can repeat this process as needed to change the password for your iKey hardware token.

    password update confirmation - click Ok to close

5. Test Your iKey Hardware Token.

    • This test must be run using Microsoft Internet Explorer.
    • Insert your iKey hardware token into the USB interface and wait a few seconds.
    • Click here to start the test.
    • Note: if you rerun the test using the same instance of your web browser within ten minutes of your initial test, you will not be prompted again for the passphrase to your iKey hardware token the second time.
  2. A window appears like the one below, displaying your name as it is stored in the hardware token. Click OK to continue.

    Client Authentication window, showing user name associated with hardware token

  3. The prompt appears for the passphrase (password) that you set on your hardware token. Enter your passphrase and click OK to continue.

    Warning: if you enter your passphrase incorrectly ten times, the token will shut down permanently. In that event, you will have to return your token to ITC and have it reprogrammed with new credentials.

    Login dialog box - enter passphrase and click OK to continue

  4. A screen appears, similar to the one below, containing the information from your certificate.

    iKey test results window, displaying information associated with user's authentication certificate

6. Install the VPN Client Software and Configure for Use with the JointVPN.

  1. Follow the instructions on the main ITC VPN client site to download and install the VPN client on your computer.
  2. Insert your iKey Hardware Token into the USB interface and wait a few seconds. The few seconds of delay allows Windows to register the digital certificate stored on your hardware token with the operating system. This registration must take place each time you start the VPN client software.
  3. Open the Start menu, locate the Cisco Systems VPN Client group, and select VPN Client (ITC) to open the application.

    Opening Start menu to locate VPN Client application

  4. Once the VPN client application starts, click the JointVPN profile to highlight it, then click the Modify icon.

    VPN Client window, showing mouse pointer on the Modify icon

  5. In the VPN Client Properties window, select the certificate associated with your iKey hardware token. If your only certificate is the one on your iKey token, then the proper certificate will already be displayed. If you have other digital certificates on your computer, you will have to select the correct entry. The certificate on your iKey token will not have a number after your name; all other certificates issued by the university will display a number. Select the certificate without a number after your name. (Note that (Microsoft) should appear immediately after your name in the certificate field.)

    VPN Client Properties window, showing iKey certificate selected

  6. Click Save to complete the initial configuration of your client software for the JointVPN.

    VPN Client Properties window, with mouse pointer on the Save button

7. Use the JointVPN Client with Your iKey Hardware Token.

  1. Insert your iKey Hardware Token into the USB interface and wait a few seconds. The few seconds of delay allows Windows to register the digital certificate stored on your hardware token with the operating system. This registration must take place each time you start the VPN client software.
  2. Open the Start menu, locate the Cisco Systems VPN Client group, and select VPN Client (ITC) to open the application.

    Opening Start menu to locate VPN Client application

  3. To establish a JointVPN session, click the JointVPN profile to highlight it, then click the Connect icon.

    VPN Client window, showing JointVPN profile selected, and the mouse pointer on the Connect icon

  4. When prompted, enter the passphrase to your iKey hardware token and click OK.

    Login dialog box - enter passphrase and click OK to continue

    The Cisco VPN Client window will automatically close once the VPN session has been established. A small lock icon lock icon will appear in the notifications area in the Task Bar at the bottom right corner of your computer screen. The closed lock indicates that a secure VPN connection has been established.

Special User JointVPN Profile

Some users will need to log into Windows Domain services that are located either on the Clinical Subnet or on the JointVPN network itself. Your department or your LSP will typically notify you if you need to log into a Windows Domain that is protected by the JointVPN.

If you need to log into a Windows Domain, use the JointVPN-SpecialRelogin VPN profile instead of the standard JointVPN profile, as illustrated in the image below. (Note: before you can use the JointVPN-SpecialRelogin profile, you must first configure the profile as shown in the section on Installing the VPN client software and configuring for use with the JointVPN; with the VPN client software installed, simply select the JointVPN-SpecialRelogin profile as shown below, and perform the same steps outlined for the standard JointVPN configuration.)

  1. To use the JointVPN-SpecialRelogin profile, click the profile to highlight it, and click the Connect icon.

    VPN Client window with Joint VPN Special Relogin profile selected

  2. Enter the passphrase to your iKey hardware token when prompted. Once the VPN session is established, the window shown below will appear for five seconds. At the end of the five second interval, you will be automatically logged out of and then back into Windows.

    VPN Client Banner window, showing warning that Windows relogin process is commencing

  3. At the Windows login prompt, enter your normal Windows password. Once you have logged into Windows, you will be fully logged into your Windows Domain and ready to work.

    Note for technical professionals: the user's first Windows login used cached credentials since no access to the Domain Controller existed before the VPN tunnel was established. Once the user logged into the local workstation using cached credentials, the VPN session was started using the iKey Hardware Token. As soon as the VPN tunnel was established, the VPN client software forced a Windows logoff and relogin. Since the VPN session was maintained throughout the logoff and relogin process and a connection to the domain controller was thus possible, the second Windows login was a full domain login using all of the normal login processing scripts. This technique enables the use of all Windows Domain capabilities even when the domain resides completely on a protected network segment and the user's workstation is located outside of the firewall and uses a VPN for its connection.

© 2009 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.