Yubico Forum

Re: Unable to get PIV to work with Windows

2014-11-10T16:39:55+01:00

Resolved my issue by running Set-Chuid with version 0.1.1. Clearly 0.1.0 had a bug.

Statistics: Posted by akatz0813 — Mon Nov 10, 2014 4:39 pm

Re: Unable to get PIV to work with Windows

2014-11-04T22:48:35+01:00

What CSP are you allowing/specifying in your template? Thats the only thing I can think of that is different.

Statistics: Posted by akatz0813 — Tue Nov 04, 2014 10:48 pm

Re: Unable to get PIV to work with Windows

2014-11-04T22:20:44+01:00

The template on the Certificate Authority is configured to set the SAN. I also confirmed that the cer issued by the CA contains it. See screenshots

Statistics: Posted by akatz0813 — Tue Nov 04, 2014 10:20 pm

Re: Unable to get PIV to work with Windows

2014-11-04T21:23:45+01:00

Confirmed in my environment at least. As soon as you get the SAN loaded properly it works. I can now log into Windows using the cert. You can inject a SAN as a switch to the certreq command as follows:

certreq -submit -attrib "CertificateTemplate:templateToUse" -attrib "SAN:upn=user@domain&email=null@somewhere.com" .\request.csr cert.crt

Change the values as appropriate.

Statistics: Posted by ordeneus — Tue Nov 04, 2014 9:23 pm

Re: Unable to get PIV to work with Windows

2014-11-04T21:04:41+01:00

Is it not that windows is expecting to find your credentials in the Subject Alternate Name (specifically your UPN)?

According to Microsoft the Subject field should contain a DN: "This field is a mandatory extension, but the population of this field is optional."

So, unless you've figured out a way to include a SAN I don't think this will work?

Statistics: Posted by ordeneus — Tue Nov 04, 2014 9:04 pm

Re: Unable to get PIV to work with Windows

2014-11-03T17:28:17+01:00

Workstation is Windows 8.1. I have tried to authenticate against Windows Server 2012 and 2012 R2.

One likely possibility is the certificate template configured incorrectly, although I'm using the same exact template that I use for my HID Crescendo smart cards. What CSP do you have configured?

Statistics: Posted by akatz0813 — Mon Nov 03, 2014 5:28 pm

Re: Unable to get PIV to work with Windows

2014-11-03T10:03:09+01:00

Hello,

there is a very large number of possible answers this this thread. Most probably something is wrong in your AD/WinServ configuration.

What server version are you using?

I have successfully tested it on Windows Server 2012 RC*

Statistics: Posted by Tom — Mon Nov 03, 2014 10:03 am

[SOLVED] Unable to get PIV to work with Windows

2014-11-10T16:43:11+01:00

Hello all,

I have completed the instructions here: https://developers.yubico.com/yubico-pi ... icate.html

Everything was successful according to the command line utility. Used a copy of a template in Windows Certificate Services from my smart card logon template that works for my traditional smart cards.

However, RDP, Windows logon, etc all say that I do not have a valid certificate on my Yubikey. Please help!

Statistics: Posted by akatz0813 — Fri Oct 31, 2014 10:38 pm