RSA SecurID Token User Guide
Page i Table of Contents Section I How to request an RSA SecurID token... 1 Section II Setting your RSA SecurID PIN... 6 Section III Setting up PuTTY on your Windows workstation to tunnel Remote Desktop through epoxy to a protected Windows server... 13 Section IV Setting up a Mac to tunnel Remote Desktop through epoxy to a protected Windows server... 20 Section V Using Remote Desktop from a Windows or Mac workstation to connect to a Windows server through the epoxy tunnel... 25 Section VI Handling an RSA SecurID token in Next tokencode required mode... 29 Appendix RSA SecurID token request form... 34
Page 1 of 34 Section I How to request an RSA SecurID token 1) To obtain an RSA SecurID token, you must fill out the form that is in the Appendix of this document, obtain the required signatures and send it to the OIT Help Desk. 2) There are a three ways that are used to access target servers with RSA SecurID authentication: a. If you will be accessing a Unix or Linux-based server, you will likely first open as SSH session with a tunneling server known as epoxy.princeton.edu. The epoxy.princeton.edu server will provide the RSA SecurID authentication. b. If you will be accessing a Windows terminal server that has the RSA SecurID authentication service installed, you will be able to authenticate to the terminal server directly through a Remote Desktop connection from your workstation. Currently, users accessing the University s and McCarter s ticketing systems use terminal servers with RSA SecurID authentication installed. In this case, you normally would not need access to epoxy.princeton.edu. c. If you must administer a protected Windows system that does not have the RSA SecurID service, you must first open an SSH session with epoxy.princeton.edu that will provide the RSA SecurID authentication and securely tunnel the Remote Desktop session. 3) In case b above, where you will not be using the epoxy SSH tunnel, you can submit your RSA SecurID token form, and the OIT Help Desk will set up your RSA SecurID account, and will provide you with your RSA SecurID token. You skip the remainder of this section and proceed to Section II Setting your RSA SecurID PIN. 4) If you will be using epoxy, before you can begin to access the epoxy tunnel, the NetID that you will be using with your RSA SecurID token must be authorized as follows: Section I How to request an RSA SecurID token
Page 2 of 34 a. You must enable Unix for the NetID that will be associated with the RSA SecurID token, and select a shell by following the procedure described in the following OIT KnowledgeBase article: http://kb.princeton.edu/5216. From the KnowledgeBase article, click the Enable Unix Account link. b. You will be asked to log in. You should use the NetID that will be associated with the requested RSA SecurID token. Section I How to request an RSA SecurID token
Page 3 of 34 c. If the page that is returned has a heading that says Update your Unix account, Unix is already enabled for your account. In this case proceed to step g. Otherwise, continue to the next step. d. If the page has a heading that says Enable your Unix account, you should click the radio button next to the Enable my Unix account label, and then click the Enable my Account button. Section I How to request an RSA SecurID token
Page 4 of 34 e. The following message will be returned. You should wait ten minutes for Unix to be enabled. f. You should then go back to the web site to set your Unix shell. After logging in, the following page will be displayed: Section I How to request an RSA SecurID token
Page 5 of 34 g. You should choose the Unix shell that you wish to use in a Unix environment, click the appropriate radio button, and then click the Submit Change button. The example shows the selection of the Bourne shell, but any shell would be OK. h. Once you ve selected a shell, the following page will be displayed: i. Once you have selected a default shell, you should ask the OIT Help Desk (258-HELP) to submit an OPM ticket asking OIT s Enterprise Servers and Storage group to add the NetID to the group authorized to use RSA SecurID authentication access on the SSH tunneling server, epoxy.princeton.edu. Authorization usually takes between 1 and 2 hours to complete. j. Once ESS completes the request, the OIT Help Desk will set up your RSA SecurID account, and will provide you with your RSA SecurID token. Then, proceed to Section II Setting your RSA SecurID PIN. Section I How to request an RSA SecurID token
Page 6 of 34 Section II Setting your RSA SecurID PIN You can use one of the following two methods to set your PIN: Method 1 You can use the RSA SecurID Self-Service website to set the PIN by performing the following steps: Note - You must either be on-campus or, if off-campus, using VPN technology to perform this procedure. 1) Visit the following website https://sdprsa200l.princeton.edu/ss. The following page will be displayed. Enter your RSA SecurID user ID and click on the Log on link. 2) The following page will be displayed. Section II Setting your RSA SecurID PIN
Page 7 of 34 3) Click the down arrow next to Authentication Method: to open the drop down menu, and click the Passcode menu item. 4) After selecting the Passcode option, click the Log On button. 5) In the following page, enter ONLY the number that is displayed on the RSA SecurID token s LCD in the Passcode: text box Section II Setting your RSA SecurID PIN
Page 8 of 34 6) In the following page, enter the following information into the form: a. Enter your new PIN in the text box labeled New PIN: with the following restrictions: it must be a minimum of four characters (alpha or numeric), and cannot match any of your three previous PINs. b. Verify it by entering again in the text box labeled Confirm New PIN: c. Wait for the number on the RSA SecurID token s LCD to change and enter that number into the text box labeled Next Tokencode:, and click the OK button to submit. Section II Setting your RSA SecurID PIN
Page 9 of 34 7) The following page will be displayed confirming that the PIN has been successfully set. Notes You will see a note on the above screen indicating that your password has expired, and that you have not answered the security questions. We currently are neither using a password to override token authentication nor security questions for self-service resets, so you can ignore both messages. 8) At this point, you can log out of self-service by clicking the Log Out link in the upper right hand corner of the page. Section II Setting your RSA SecurID PIN
Page 10 of 34 Method 2 If you are authorized to use the epoxy.princeton.edu tunneling server and have already set up PuTTY on your system by following the instructions in Section III (Windows users) or Section IV (Mac or Linux users) of this document, you can set your RSA SecurID token PIN through a connection to the epoxy.princeton.edu server. 1) If you are a Mac or Linux workstation user, you should open a terminal window, enter the following command ssh epoxy.princeton.edu, and skip to step 4. 2) If you are a Windows user using PuTTY, you should open PuTTY and load the PuTTY configuration that you had set up on your Windows system by selecting the configuration name that you had set up (in this case My Configuration ) and then clicking the Load button. Section II Setting your RSA SecurID PIN
Page 11 of 34 3) After verifying that the Host Name is set to epoxy.princeton.edu, the Port is equal to 22 and the Connection Type is set to SSH, the user should click Open to open the session. 4) On both the PuTTY window on Windows and the terminal server window on Mac workstations, epoxy will display a Login as: prompt. You should enter your RSA SecurID assigned user ID. 5) When prompted for your passcode, ONLY enter the value displayed on the RSA SecurID token s LCD, since the token currently has no PIN. Section II Setting your RSA SecurID PIN
Page 12 of 34 6) Upon successful entry of the passcode, you will be asked if he or she wants to enter a PIN. Enter a Y, otherwise, the session will be disconnected. 7) Select a new PIN of 4 to 8 alphanumeric values when prompted. 8) After you enter the new PIN for the first time, the system will ask you to verify the PIN value by re-entering it at the prompt. 9) If the values match and meet the minimum 4 to 8 alphanumeric character standard, you will receive a Passcode: prompt. You must wait until the value displayed on the LCD has changed Section II Setting your RSA SecurID PIN
Page 13 of 34 from the one entered in the original logon. Once it has changed, you should test your passcode by entering the new PIN followed by the LCD value. 10) If the Passcode is successfully entered, the epoxy.princeton.edu session will be established and a command prompt presented. Section III Setting up PuTTY on your Windows workstation to tunnel Remote Desktop through epoxy to a protected Windows server 1) If you are using a Windows device to access your target system, download and install the Putty SSH client from http://www.putty.org/ to open SSH connections to epoxy.princeton.edu, our tunneling server. Section III Setting up PuTTY on your Windows workstation to tunnel Remote Desktop through epoxy to a protected Windows server
Page 14 of 34 2) Open PuTTY. The following screen will be displayed: 3) In the initial window, enter epoxy.princeton.edu in the Host Name field, and make sure the "Port" field is set to 22. Section III Setting up PuTTY on your Windows workstation to tunnel Remote Desktop through epoxy to a protected Windows server
Page 15 of 34 4) Scroll down the menu items, to the "SSH" menu item under "Connection", Click on the "+" to the left of SSH, and then, on the expanded menu under SSH, click on Tunnels 5) The following screen will be displayed: Section III Setting up PuTTY on your Windows workstation to tunnel Remote Desktop through epoxy to a protected Windows server
Page 16 of 34 6) In the "Add new forwarded port" section, enter 33891 in the "Source Port" field. Then, enter (the name of the server to which you want to RDP).princeton.edu:3389 in the "Destination" field. Make sure that, under the Destination label, the Local and Auto radio buttons are selected. Then click the Add button. 7) The following screen will be displayed with the server name that you entered: Note - When you are using tunneling and you activate the tunnel, if you want to open up a Remote Desktop session with server1name.princeton.edu, you must connect to localhost:33891. The way tunneling works in this scenario is that PuTTY will see your request to connect to localhost port Section III Setting up PuTTY on your Windows workstation to tunnel Remote Desktop through epoxy to a protected Windows server
Page 17 of 34 33891, compare it to its tunneling table and, upon seeing the match, will direct your RDP request to the destination associated with that localhost port in this case server1name.princeton.edu. You must create one forwarded port for each server to which you want to RDP. For example, you might set up 33892 (source port) to remote desktop to (a second server to which I want to RDP).princeton.edu:3389 8) To add another destination server, do the same thing: In the "Add new forwarded port" section, enter 33892 in the "Source Port" field. Then, enter (the name of the server to which you want to RDP).princeton.edu:3389 in the "Destination" field. Make sure that, under the Destination label, the Local and Auto radio buttons are selected. Then click the Add button. Section III Setting up PuTTY on your Windows workstation to tunnel Remote Desktop through epoxy to a protected Windows server
Page 18 of 34 9) The following screen will be displayed after you enter the second server: 10) Continue adding as many destination servers as you need following steps 8 and 9. When you ve finished adding servers, go to the top of the menu on the left of the configuration screen and click the "Session" menu item at the very top of the menu. 11) The following screen will be displayed: Section III Setting up PuTTY on your Windows workstation to tunnel Remote Desktop through epoxy to a protected Windows server
Page 19 of 34 12) Enter a name of your choosing for the configuration. Then, click the "Save" button. 13) PuTTY is now ready for tunneled Remote Desktop sessions. Section III Setting up PuTTY on your Windows workstation to tunnel Remote Desktop through epoxy to a protected Windows server
Page 20 of 34 Section IV Setting up a Mac to tunnel Remote Desktop through epoxy to a protected Windows server If you need to Remote Desktop to a Windows server through the epoxy.princeton.edu tunnel using a Mac workstation, you will need to configure your Mac as follows: 1) Open a terminal window on the Mac. 2) At the prompt, enter in the following command followed by the enter key: defaults write com.apple.finder AppleShowAllFiles YES 3) At the prompt, enter the following command followed by the enter key: killall Finder Section IV Setting up a Mac to tunnel Remote Desktop through epoxy to a protected Windows server
Page 21 of 34 4) Open up a finder window. Under the Go menu, click the Go to Folder menu item. 5) The following window will open: 6) Enter the value ~/.ssh into the text box. 7) A list of files in the directory will be displayed. Section IV Setting up a Mac to tunnel Remote Desktop through epoxy to a protected Windows server
Page 22 of 34 8) If there is no file named config in the directory list, open up the TextEdit.app program and create a new text document. 9) If the config file does exist, right click the config file and open it with the TextEdit.app program. 10) Add the following lines to your config file: LocalForward 33891 server1name.princeton.edu:3389 LocalForward 33892 server2name.princeton.edu:3389 LocalForward 33893 server3name.princeton.edu:3389 Note Replace server1name with the host name of the first server to which you will Remote Desktop Replace server2name with the host name of the second server (if needed) Replace server3name with the host name of the second server (if needed), etc. Section IV Setting up a Mac to tunnel Remote Desktop through epoxy to a protected Windows server
Page 23 of 34 11) After entering the necessary LocalForward commands into the file, click Save under the file menu. 12) If the config file previously existed, the save will be saved and no further action needs to be taken. 13) If you created a new config file, the following will be displayed when you click the Save menu item: Section IV Setting up a Mac to tunnel Remote Desktop through epoxy to a protected Windows server
Page 24 of 34 14) In the Save As: text box, enter the tilde ~ character. This will cause the following popup to be displayed: 15) Set the Go to the folder: text box to the following value: ~/.ssh Then click the Go button. 16) Enter config into the Save As: text box. Then, click the Save button to save the config file. Section IV Setting up a Mac to tunnel Remote Desktop through epoxy to a protected Windows server
Page 25 of 34 Section V Using Remote Desktop from a Windows or Mac workstation to connect to a Windows server through the epoxy tunnel When a user wants to connect to a server that he or she supports or uses via the epoxy tunneling server, he or she must perform the following steps: 1) If you are a Mac or Linux workstation user, you should open a terminal window, enter the following command ssh epoxy.princeton.edu, and skip to step 4. 2) If you are a Windows user using PuTTY, you should open PuTTY and load the PuTTY configuration that you had set up on your Windows system by selecting the configuration name that you had set up (in this case My Configuration ) and then clicking the Load button. Section V Using Remote Desktop from a Windows or Mac workstation to connect to a Windows server through the epoxy tunnel
Page 26 of 34 3) After verifying that the Host Name is set to epoxy.princeton.edu, the Port is equal to 22 and the Connection Type is set to SSH, the user should click Open to open the session. 4) On both the PuTTY window on Windows and the terminal server window on Mac workstations, epoxy will display a Login as: prompt. You should enter your RSA SecurID assigned user ID. Section V Using Remote Desktop from a Windows or Mac workstation to connect to a Windows server through the epoxy tunnel
Page 27 of 34 5) Next, you will be prompted for your Passcode". Enter your PIN immediately followed by the number on your assigned RSA SecurID token in one string. 6) Once the login is successful, you will have an open SSH session with the epoxy tunneling server. You must keep the Windows PuTTY session or Mac Terminal window open - that is your connection to the SSH tunnel. The session can be minimized. 7) Then, you can then start up the Remote Desktop client application. Section V Using Remote Desktop from a Windows or Mac workstation to connect to a Windows server through the epoxy tunnel
Page 28 of 34 Notes - You should NOT open the Remote Desktop session with the actual name of the target server since all access to the device must come through the epoxy tunnel. Instead, the Remote Desktop session must be made with "localhost:xxxxx" (where xxxxx is the local port that you defined in your PuTTY configuration or Mac config file for the server that you wish to access. In the PuTTY and Mac client setup sections, we suggested that, since the Remote Desktop port is usually 3389, you could set local port 33891 for the first server, 33892 for the second, etc., but the local port numbers can be set to any value (OVER 1023) that you prefer. 8) Log into the server with your assigned server ID and password. You should now be connected to the target system. NOTE your ID may be different than your SecurID user ID. Section V Using Remote Desktop from a Windows or Mac workstation to connect to a Windows server through the epoxy tunnel
Page 29 of 34 Section VI Handling an RSA SecurID token in Next tokencode required mode You may encounter a very confusing situation where you receive a second Passcode: prompt when attempting to access the epoxy server It appears as if the first passcode you entered failed, since the two prompts are identical Passcode: displays and no other message is provided. If this occurs, your passcode may very well have been entered correctly, but your token might be in Next tokencode mode. This usually occurs after you ve previously entered a couple of incorrect passcode values. When your token is in Next tokencode mode, the system is requiring you to log in once successfully with your PIN and value on the token s LCD at the first Passcode: prompt, and then to provide the next value on the token s LCD WITHOUT THE PIN - to a subsequent Passcode: prompt. If this occurs, proceed as follows: Method 1: 1) When prompted for the User name:, enter the user ID associated with the token 2) When prompted the first time for the Passcode: enter your PIN and the number on the LCD of your RSA SecurID token. 3) When prompted the second time for the Passcode:, wait for the number on your token s LCD to change, and then ONLY enter the number on the LCD of your RSA SecurID token. Method 2: 1) Enter the following URL into your web browser: https://sdprsa200l.princeton.edu/ss Section VI Handling an RSA SecurID token in Next tokencode required mode
Page 30 of 34 2) Enter your NetID in the User ID: text box. Then, click the OK button. 3) The following page will be displayed. 4) Change the value of the drop down to Passcode. Section VI Handling an RSA SecurID token in Next tokencode required mode
Page 31 of 34 5) Click the Log On button. 6) The following page will be displayed. 7) In the Passcode: text box, enter the PIN associated with your token immediately followed by the number that is displayed on the token s LCD. Then, click the Log On button. Section VI Handling an RSA SecurID token in Next tokencode required mode
Page 32 of 34 8) The following page will be displayed. 9) Wait for the number on the token s LCD to change. Then, enter ONLY the number on the LCD into the Next Tokencode: text box and click the OK button. Section VI Handling an RSA SecurID token in Next tokencode required mode
Page 33 of 34 10) When you have successfully logged in, the following page will be displayed and the token will be out of Next Tokencode mode, so your next logon will be a normal one. 11) At this point you can click on the Log Off link at the upper right hand portion of the page. Section VI Handling an RSA SecurID token in Next tokencode required mode
Page 34 of 34 Appendix RSA SecurID token request form The next page is the form that should be used by anyone who needs to request an RSA SecurID token. It can also be found on the Information Security website at: http://www.princeton.edu/itsecurity/procedures/securid/ Appendix RSA SecurID token request form
An RSA SecurID Token ( Token ) is being requested by: RSA SecurID Token Request Form Name ( Assignee ): Campus Address: Sponsoring Department: OIT-issued NetID: Phone: Chart String: for the following Purposes: By signing below, the Assignee, Manager and Department Head acknowledge that they have read and agree to the following: The Token is the property of Princeton University s OIT. Its use and disposition is under the administration and jurisdiction of the University s Information Security Office. The Token may only be used for the purposes listed above. In the event these purposes change, the Assignee, Manager or Department Head must notify the University s Information Security Office. The Token must not be shared with any individual, unless such arrangement is made in advance with the University s Information Security Office; The Assignee, Manager or Department Head must promptly notify the University s Information Security Office if the Token is lost or stolen. The Assignee, Manager or Department Head is also required to promptly notify and return the Token to the University s Information Security Office, if: o It is used by anyone other than the Assignee, o It is used for purposes other than those listed above, o The Assignee transfers from the department listed herein to another University department, o The Assignee s association with the University ends, either voluntarily or involuntarily, or o The Token is damaged or is not functioning properly. Assignee: Manager: Department Head: Information Security Office: Issued by: Print Name Signature Date Rev 1-12/9/2014