Yubico Forum

Re: [QUESTION] PIN caching for SSL certificates

2017-10-19T10:18:08+01:00

Ah, this seems to be the cause: https://forum.yubico.com/viewtopic.php?f=26&t=2739

Statistics: Posted by bozho — Thu Oct 19, 2017 10:18 am

Re: [QUESTION] PIN caching for SSL certificates

2017-10-18T19:47:04+01:00

Well, it may have been fixed, but I can't test it as it actually stopped working for me.

I haven't tried remoting in a few weeks now and I was setting up a new machine. Today I went to test it and I can't get Windows to behave with my Yubikey.

So, nothing has changed with the Yubikey - it still has the same self-signed cert in the authentication slot. At first, I thought it's the new machine, but I've just checked with the old machine where this used to work and I get the same result.

In short, on the machine where it used to work, I performed these steps:
1. Delete the cert from Cert:\CurrentUser\My\ (it was there previously).
2. Plug in Yubikey - the certificate appears in the store.
3. Run the code from my original post - get the message along the lines "The smart card cannot perform this action.. ". I didn't get the entire message, because I can't repeat it (read on
4. Unplug Yubikey and delete the certificate again.
5. Plugin Yubikey - the certificate does not reappear in the certificate store. Rebooting doesn't help, cussing at it doesn't help.

I can't get it to work on the new machine, either (both machines run Win10 Pro with latest updates).

If I import the certificate from the PFX file and not use Yubikey, everything works as expected.

Is there something I need to do with Yubikey?

Statistics: Posted by bozho — Wed Oct 18, 2017 7:47 pm

Re: [QUESTION] PIN caching for SSL certificates

2017-10-18T09:08:29+01:00

I can confirm that it has been fixed. Endlich!

Statistics: Posted by Chris77 — Wed Oct 18, 2017 9:08 am

Re: [QUESTION] PIN caching for SSL certificates

2017-10-13T18:48:29+01:00

ITS FIXED!!! It is finally freaggin fixed!

Windows Update ran this week. Not sure which update specifically which update was applied. But when I went to open a PuTTY session today, I noticed that the pin key window was behaving normally (it popped up and took focus, rather than opening behind all other windows). So I gave it a try a second time, and PuTTY authenticated without asking for another prompt.

That only took... what... 7 months to fix!? Thanks Microsoft

UPDATE: It is KB4041676
https://support.microsoft.com/en-us/hel ... -kb4041676

Quote:

Addressed issue where Personal Identity Verification (PIV) smart card PINs are not cached on a per-application basis. This caused users to see the PIN prompt multiple times in a short time period; normally, the PIN prompt only displays once.

Statistics: Posted by DarkainMX — Fri Oct 13, 2017 6:48 pm

Re: [QUESTION] PIN caching for SSL certificates

2017-06-23T11:26:34+01:00

Tested on the Creators update with the latest updates, still no luck (although I would expect security updates not to be tied to these "big" Windows feature updates)

Statistics: Posted by bozho — Fri Jun 23, 2017 11:26 am

Re: [QUESTION] PIN caching for SSL certificates

2017-05-02T23:14:37+01:00

I did some debugging on this issue but didn't find a solution.

- The issue was introduced by Windows Update KB3013429 (Released March 2017) which is included in every later cumulative Update.
- Removing any Windows Update 10 and installing KB3213986 (Released Jan 2017) fixes the issue, but is a security disaster.
- New Profile doesn't help
- Disabling PIN completly is not possible!?

I tried to install and configure OpenSC but either I did something wrong or it doesn't help.

I got an Yubico support response recommending to open a ticket with Microsoft.

Similar issue is mentioned on the web for others services including Citrix without solution:

Quote:

Before installing KB4013429 a client would be asked for their password just once when signing the soap request and each subsequent request to sign the soap request would not come up with a password box to reenter their credentials.

https://answers.microsoft.com/en-us/windows/forum/windows_10-update/update-kb4013429-causing-another-problem-with-our/e3cb3a00-020e-45ec-a838-41f94a231557

Quote:

The user enters the smart card PIN at the Receiver prompt but is returned back to the PIN prompt again without any failure message.

http://discussions.citrix.com/topic/385836-receiver-smart-card-login-direct-to-storefront-broken-on-windows-10-after-kb4013429-update

Statistics: Posted by Chris77 — Tue May 02, 2017 11:14 pm

Re: [QUESTION] PIN caching for SSL certificates

2017-05-02T17:53:05+01:00

PIN caching is still broken with creating a fresh user profile, too. This is effecting every developer that I know which uses Windows 10 currently. Win10 is requesting PIN on every single signing request, which for programming is a lot. For instance, running a git submodule update could pull 10+ packages all at once, every single one requesting PIN now.

My current work around: coding on Windows 10, but doing all git operations through a Windows 7 virtual machine.

Statistics: Posted by DarkainMX — Tue May 02, 2017 5:53 pm

Re: [QUESTION] PIN caching for SSL certificates

2017-04-13T12:18:46+01:00

The latest cumulative update for Windows 10 (April 2017 / KB4015217) doesn't fix PIN caching issue.

So currently the only workaround is to not install March/April 2017 updates

On windowsreports.com they recommend to try a new and empty user profile. We're going to test that now.

Statistics: Posted by Chris77 — Thu Apr 13, 2017 12:18 pm

Re: [QUESTION] PIN caching for SSL certificates

2017-04-05T15:42:47+01:00

No, I didn't have time to chase this up with Microsoft... I'm holding off on applying Windows updates for now.

Statistics: Posted by bozho — Wed Apr 05, 2017 3:42 pm

Re: [QUESTION] PIN caching for SSL certificates

2017-04-03T17:09:43+01:00

Any news on this issue?

Uninstalling official Windows Updates can't be permanent solution for this issue ...

Chris

Statistics: Posted by Chris77 — Mon Apr 03, 2017 5:09 pm

Re: [QUESTION] PIN caching for SSL certificates

2017-03-23T23:14:57+01:00

Hi Matthew,

It would appear that it's not KB4013418, but one of these two: KB3150513, KB4015438.

I managed to revert to an earlier restore point on one system and uninstall these two updates on another and certificate PIN caching now works fine.

Marko

Statistics: Posted by bozho — Thu Mar 23, 2017 11:14 pm

Re: [QUESTION] PIN caching for SSL certificates

2017-03-23T19:08:38+01:00

Hello Bozho,

Yes the latest Windows 10 Update KB4013418 is causing quite a few issues. you can read more at link below.
http://windowsreport.com/fix-windows-10-kb4013418-bugs/

Best Regards,
Matthew
Yubico Support

Statistics: Posted by mattlegitt — Thu Mar 23, 2017 7:08 pm

Re: [QUESTION] PIN caching for SSL certificates

2017-03-23T11:35:22+01:00

Just a quick follow up: I've tried the same scenario on a Win 8.1 machine and PIN caching works as expected. It looks like Windows 10 broke something in the last update.

Statistics: Posted by bozho — Thu Mar 23, 2017 11:35 am

[QUESTION] PIN caching for SSL certificates

2017-03-22T19:17:55+01:00

Hi all,

I'm using Yubikey NEO to store a custom personal SSL certificate in slot 9a. I use the certificate to authenticate against remote Windows machines for remote execution in PowerShell.

I have a PS workflow I'm working on and the usual behaviour is when I start the workflow, I get a popup dialogue asking me for the PIN and then the workflow carries on. The workflow does connect several times to the remote machine, but I used to get the PIN dialogue only once.

However, today I started getting the popup several times while the workflow is running. I tried reverting to yesterday's code, even though there were no changes that should affect this behaviour, with no luck.

I'm running Windows 10 Pro with the latest updates. I've tried rebooting the machine and using a different USB port.

EDIT: Minimal example to replicate the problem is to open a Powershell CIM session to a remote computer:

Code:

$option = New-CimSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck -UseSsl
$cert = gi Cert:\CurrentUser\My\XXXXXXXXXXXXXXXXXXXXXXXX
$s = New-CimSession -ComputerName machine.example.com -CertificateThumbprint $cert.Thumbprint -SessionOption $option

Running the last line for the first time pops up the PIN dialogue. Running the line again in the same Powershell window was not prompting for the PIN again. However, today I get the PIN dialogue every time - tested on two different Win10 Pro machines.

How could I determine what is causing the change in behaviour?

On a possibly unrelated note, PIN caching for my PGP keys works as expected.

Thank you,
Marko

Statistics: Posted by bozho — Wed Mar 22, 2017 7:17 pm