Small-Scale implementation

The procedure is for the administrator to do all the settings and PC setup for the YubiOn Portal site. Small-Scale implementations are expected to be on a scale of one to dozens of PCs and within the reach of administrators. Please be sure to read the notes and proceed with the implementation.

Table of Contents


1. Note

  • Be sure to check the system requirements before proceeding with the implementation.

  • Check here for available YubiKeys.

  • The setup of the PC requires Windows administrative privileges.

  • Do not change the configuration of YubiKey to Slot1.
    YubiKey has two configurable Slots with features such as One Time Password (OTP) and Challenge Response (used in offline authentication).

    • Slot1: The initial state is configured to Yubico OTP.
      If you change your Slot1 information, you will not be able to use it on YubiOn Portal.

    • Slot2: The initial state is unconfigured.
      If the offline authentication is used, a challenge response setting is required in Slot2.

  • Prior preparation is required to enable offline authentication of the PC.
    Before distributing YubiKey to users, please refer to YubiKey offline settings to configure YubiKey.

2. Implementation flow

Portal registration
[Administrator Action] Register on YubiOn Portal. After registration, contact us to switch to the paid version.
Member registration / settings
[Administrator Action] Register users (members) and set your YubiKey in YubiOn Portal.
Installation
[Administrator Action] Install the software on each PC.
Service settings
[Administrator Action] Configure the service settings for two-factor authentication.
Start of use

3. YubiOn Portal registration

Skip this step if you have already registered.

3-1. New registration

Register your customer information at the YubiOn Portal registration page.

The first person to register on YubiOn Portal will be the representative of your organization.

You will receive a registration approval email upon new registration.
Click on the approval link.

Registration Approval Email


3-2. First login

From the login screen, login with your registered email address and password.

YubiOn Portal login screen

Password entry form

Enter the correct email address and password to login to YubiOn Portal.

About customer login
For the representatives of the organization who registered for the first time in YubiOn Portal to log in with a password only.
Once the representative is set up with YubiKey, you will be presented with a two-factor authentication login form.
Notes: Once you have unassigned all the YubiKeys to a representative, a customer login form will appear.

The first time you log in, an simple settings screen appears.

First time login screen (Simple settings screen)


4. Simple settings

Skip this step if you’ve already done the simple settings.

Simple settings screen


4-1. YubiKey registration

Set your YubiKey for login. Next time you log in to YubiOn Portal, you will need the YubiKey you set here.

4-2. Selection of settings

Click on “You do not configure your PC…” as this procedure does not configure the operator’s own PC.

Once you skip this setting, the simple setting will not appear from the next time you log in.


5. Switching to the paid version

Customers who are already using the paid version should skip this step.

The implementation procedure is based on the use of the paid version of the function.
If you would like to examine the paid version or switch to a paid version, please contact us here.

The following description assumes a paid version.

6. Member registration

Register members (users) in YubiOn Portal.

Click on “Member Management” from the menu on the left side of the screen.

Click on the “Member Registration” icon.

In the member registration window, input the “ID/Member name/Email address/Password” to add a new member and click the “Register” button.

Click “OK” when a confirmation message is displayed.
Once the registration is complete, the added members will be displayed in the member list.


7. YubiKey assignment

YubiOn Portal realizes two-factor authentication using “YubiKey” in addition to “ID / Password”. In order for members in your organization to take advantage of two-factor authentication with YubiKey, you need to assign them a YubiKey first.

Click on the member you want to assign a YubiKey to from the “Member List”.

Click the “YubiKey Assignment” button.

Select the input field and plug the YubiKey you want to assign to the member into the USB port.

Tap YubiKey and input your YubiKey one-time password.

Click “OK” when a confirmation message is displayed.
When the assignment has been completed, the assigned YubiKeys will be displayed in the YubiKey list.


8. Setup

The steps for an administrator to set up on each PC.
To set up two-factor authentication on a PC, you need to install a Windows Logon Service application (hereinafter Client Tools).

Before Use
Please be sure to check the system requirements before installing the software.
The installation requires Windows administrative privileges. Also, after the installation of the client tool, the PC may reboot. Save important files and close all applications and then install them.


8-1. Software downloads

Click the “PC” icon from the menu on the left side of the screen and click “Download”.

Click the “Download” button.

Save the installer to any location.
If the PC you downloaded and the PC you want to configure are different, save the installer to any location on the target PC.

About downloading
Depending on your PC, a 32-bit or 64-bit download button will be displayed.

If you want to download the tools for a different architecture
Click on “Download tools for different architecture”. A download button for a different architecture will be displayed.
Download the tools for your architecture.


8-2. Software Installation

Run the installer for “WlsInstaller_x64.msi” or “WlsInstaller_x86.msi” on the target PC.

If a warning appears during installation
If the Microsoft “SmartScreen” feature is enabled, you may receive a warning when downloading a file or at the start of installation. If you get a warning, please follow these steps to proceed with the installation.

Notes: Do not run any file that you are not sure has been downloaded from our YubiOn Portal site, as it may be a malicious file.

1. Click on “More Info”. 2. Click the “Run anyway” button.

Review the software license agreement and check the “I accept…” checkbox.

Click on “Install”. The installation begins.

On the User Account Control confirmation pop-up, click Yes.

Once the installation is complete, the completion screen will be displayed.

If you finish with the “Launch configuration tool…” checked, the configuration tool will be launched automatically.

Continue with the installation of the required runtime.
On the User Account Control confirmation pop-up, click Yes.
The installation of the required runtime is started.
After the installation of the runtime, a pop-up will be displayed prompting you to restart.

If there is no need for a reboot, the pop-up will not appear.
If there is no pop-up display, the installation is complete at this point.

Click “Yes” when a confirmation message is displayed.

The PC will be rebooted and the installation of the client tools will be completed.

If you don’t want the user to uninstall it
The paid option “Uninstallation Control” can be used to hide the software from the list of installed applications and discourage uninstallation.

For purchasing the “Uninstall Control” option, please contact us here.


8-3. PC setup

YubiOn Portal administrator privileges are required to perform the following settings
Configure the PC while it is connected to the network.

Launch the configuration tools from the start menu. Skip this step if you have already launched the client tool.

Input your ”email address/password” that you have registered on YubiOn Portal in the “Email address” and “Password” fields.

Plug the YubiKey registered in YubiOn Portal into the USB port.
Select the “OTP” field and tap YubiKey to input your one-time password. After inputting, a configuration screen will be displayed.

Click on “Assign Account setting” in the launched configuration tool.

Click the “Register” button.

Select “Account”, “Member”, and “ Authenticator” and click the “OK” button.

About YubiKey’s display name
The name of YubiKey shown in “ Authenticator” will be YubiKey’s public ID (first 12 characters of one-time password) by default.

Click the “OK” button on the configuration completion pop-up.

Click “Exit” to close the configuration tool.

If the general account does the setting
YubiKey assignments can also be done by non-administrators. In that case, it will immediately assign the Windows account you are currently logged in and the YubiKey you used to login to the client tool. Non-administrative members cannot be assigned an account and specify a YubiKey.


8-4. Distribute YubiKey to users

After completing PC setup, distribute YubiKey to your users.

Check before YubiKey distribution
Prior preparation is required to enable offline authentication of the PC.
Before distributing YubiKey to users, please refer to YubiKey offline settings to configure YubiKey.

If you are setting up multiple people’s PCs, repeat steps 6-8 for more people.

That’ s all for setup.

9. Service settings

In the service configuration screen, configure the settings for the two-factor authentication service.

9-1. General service settings

Click the “PC” icon from the menu on the left side of the screen.
Click on “Service Settings”.

Default service settings screen (paid version)


Configure the following settings to match your security policy

Configuration items Configuration Contents Default
1. Cache logon expiration date The number of days available for offline authentication. Disabled
2. Screen lock Lock the screen when unplugging the YubiKey. Disabled
3. Forced YubiKey logon Force logon with YubiKey at PC logon. Disabled
4. Authentication failure lock Locks the PC when it fails a certain number of times to log on.
It is also available to unlock the PC after a certain amount of time has passed.
Disabled
5. Automatic email notification Email notifications when there is a change in PC status or service settings. Enabled
Representative


In the initial view of the service settings, “Default Policy” is selected.
This step is based on the “Default Policy”.

The “Default Policy” will be applied during PC registration.
About the Group policy
Group policy is the function of dividing service settings into multiple groups.
For more information, see Group Policy Settings.
About the Master Key
Master Key is the function that allows you to log on to all PC and any account with one YubiKey.
For more information, see Master Key Settings.

Reflecting the group policy on the PC
Group policy settings will be reflected when you log on while the target PC is connected to the network.


9-2. Cache logon settings

Setting an expiration date for offline authentication allows you to log on offline for a specified number of days from the date of the last successful PC logon. If disabled, you will not be able to log on in environments without a network connection.

YubiKey offline settings are required to use the cache logon function.

Click the radio button of “Enable” and input the expiration date.

Click the “Update” button.

About offline authentication
- To enable offline authentication, the PC must be successfully authenticated online once.
- Each time the PC is successfully logged in, the offline authentication period is updated.
 e.g. If the offline expiration date is set to 3 days.
   If the PC is successfully logged on on April 1st, offline authentication will be enabled from April 1st to April 3rd.
   If the PC is successfully logged on during the above period, it is effective for an additional 3 days from the date of successful authentication.
- Please contact your administrator for the offline expiration date.

If you want to make the cache logon deadline indefinite
The paid option “Cache Logon Indefinitely” allows you to set the number of days of validity of cache information indefinitely.

To purchase the “Cache Logon Indefinitely” option, please contact us here.


9-3. Screen lock settings

With screen lock enabled, you can lock the screen automatically when you unplug the YubiKey from the PC’s USB port.

Check the”Lock screen when unplugging YubiKey.” checkbox.

It is set to disabled by default

Click the “Update” button.

9-4. Forced YubiKey logon settings

Set to force logon using YubiKey at PC logon.

Check the “Force a logon using YubiKey.” checkbox.

It is set to disabled by default

Click the “Update” button.

9-5. Authentication failure lock settings

When you enable the authentication failure lock setting, you can prevent the PC from logging on after a certain number of failed logon attempts.

Check the “Lock the PC…” checkbox.

It is set to disabled by default

Input the number of attempts to lock the PC.
Click the “Update” button.

About the PC lock
The inability to log on to a PC is called a “PC lock”.
PC lock image See how to unlock the PC lock state.


9-6. Unlock settings after an authentication failure lock

Check the “Unlock in a certain amount of time after authentication failure lock” checkbox.

It is set to disabled by default

Input the time (in minutes) to unlock the PC.
Click the “Update” button.

About the timing of the PC unlock
After a specified time has passed since the PC lock occurred, reboot the PC connected to the network to unlock the PC.


9-7. Automatic email notification settings

When there is a change in the status of the PC or service settings, it will automatically notify the members registered in the notification settings. By default, the representative is set as the recipient of the notification.

Click the settings icon in the top right corner of the service settings screen, and then click “Email notification settings”.

Toggles the enable/disable of the notification settings.

Check the notification items you want to receive.

The default is set to notify the representative

Click the “Update” button.

About notification
If “When the PC is locked or unlocked” is checked
Notifies which PC has changed to which state.

If “When changing service settings” is checked
Notifies you of any changes in service settings, such as cache logon settings.
If you want to change the mail recipient
Click here for instructions on how to change email recipients.


10. Operational confirmation

Check if the user PC reflects the settings of the group policy.

About Group Policy
Group policy is the function of dividing service settings into multiple groups.
For more information, see Group policy settings.

From the menu on the left side of the screen, click the “PC” icon and then click “Service Settings”.


10-1. About group policy status

There are three types of group policy reflection status: “ Reflected”, “ Unreflected”, and “Old policy is reflected”.

Group policy reflection state

  • Reflected: The latest group policies are reflected in the PC.
  • Unreflected: The group policy is not reflected in the PC.
  • Old policy is reflected: The old group policy is reflected in the PC.

10-2. Group policy reflection confirmation

Click on the group policy to confirm.

Click the “PC list” tab.

Click on the lower pull-down of the state.
Then click on “ Unreflected”.

The list of PC that do not reflect the group policy will be displayed.

A “Unreflected” is indicated by an “X” mark.

If you want to check the “Old Policy is Reflects” status
If you click on “Old policy is reflected” in the status pull-down, it will display a list of PC with old group policies reflected.
- If the old policy is reflected, it will be displayed with a “warning mark”.
- If you “Change Group Policy” or “Apply Another Group Policy”, it will be in the state of “Old policy is reflected”.

If you want to check the “reflected” status
If you click “ Reflected” in the status pull-down, it will display a list of PC with the latest group policy reflected.
- If the latest group policy is reflected, it will be indicated by a “check” mark.

How to reflect the settings on the PC
When you log on while the target PC is connected to the network, the group policy settings will be reflected.

That’s all for the implementation procedure.

11. Supplement


11-1. Two-factor authentication method for YubiOn Portal site

At the login of YubiOn Portal site, two-factor authentication by “email address”, “password” and “YubiKey” of the member (user) is required.

Only the representative (the one who first registered in YubiOn Portal) will be logged in with a password only, unless a YubiKey is assigned.

Access the login page.
Input your email address in the email address field and click the Confirm button.

Input the “password” in the password field.

Plug the YubiKey into the USB port.

Click the YubiKey input field and tap YubiKey.

After YubiKey’s one-time password output, it will automatically enter and log you in.

After logging in, the “Dashboard” will be displayed.