For enroll on behalf of (EOBO) you also need to set the publish and enroll in the "Enrollment Agent" template as covered in the Smart Card Deployment Guide.
The Enrollment Agent template was also published. I was able to pull the cert and get almost all the way through enrollment before it failed due to policy.
I ran RSOP.msc to see if there were any conflicts with GPOs but everything was configured the way I expected. I was still getting the 'blocked by computer policy' error so I disabled all of my computer GPOs and self enrollment worked. By turning things back on one at a time I determined that my Yubikey GPO was to blame. I believe it's one or both of my registry edits:
BlockPUKOnMGMUpgrade or NewKeyTouchPolicy
What I'm working backwards to understand is how the YubiKeys were getting the certificate installed in 9a -only with the PIV Manager- but weren't able to authenticate.
Statistics: Posted by RadiatorMints — Tue Jan 23, 2018 10:02 pm
]]>2018-01-23T21:47:21+01:002018-01-23T21:47:21+01:00https://forum.yubico.com/viewtopic.php?t=2828&p=10130#p10130<![CDATA[Re: YubiKey 4 for PIV stopped working]]> Regarding your issue with self-enrollment, please open a support ticket for further troubleshooting. https://www.yubico.com/support/get-support/
Statistics: Posted by JamesA — Tue Jan 23, 2018 9:47 pm
]]>2018-01-22T20:20:54+01:002018-01-22T20:20:54+01:00https://forum.yubico.com/viewtopic.php?t=2828&p=10127#p10127<![CDATA[Re: YubiKey 4 for PIV stopped working]]>https://www.yubico.com/wp-content/uploa ... 7_RevB.pdf Actions taken today (1/22/2018): Revoked all previous user certs except the one that works. Reissued the root domain cert and verified through cert chains that it is being used. Pushed all the auto-enrollment config via GPO and found it in the system tray. (Fails with a message about "Prohibited by Computer Policy" weather it's launched from the tray or certmgr) Added a brand new PC to the domain and logged in via the one working YubiKey 4 on the first boot with no configuration other than previously configured GPOs.
EDIT: per the documentation under the Cryptography tab: Provider Category is now Key Storage Provider Algo is RSA, length is default: 2048 Provider is Microsoft Smart Card Key Storage Provider
What am I missing?
Statistics: Posted by RadiatorMints — Mon Jan 22, 2018 8:20 pm
]]>2018-01-22T20:55:53+01:002018-01-19T16:51:41+01:00https://forum.yubico.com/viewtopic.php?t=2828&p=10123#p10123<![CDATA[YubiKey 4 for PIV stopped working]]> So I purchased the rest of the YubiKeys I needed for my users, implemented the Enroll on behalf of CA Template and that's when everything went completely sideways. Enroll on behalf of didn't seem to work at all, the template couldn't find the signature > no certificate on the YubiKey > cert enrollment failure on the CA. So I'm back to user self enrollment and I can get a certificate on a YubiKey. The PIV manager recognizes it, it's published in the Certificate Authority but any time I try to use it for login the endpoint says that "No valid certificates were found on this smart card."
My original YubiKey and cert still works flawlessly. Changing out YubiKeys yields the same results (failure). I changed the name of the original template and recreated a new one from scratch with the following settings:
General Validity period is 2 years Cert is published in AD Compatibility CA is Server 2016 Recipient is Windows 7 Request handling Signature and encryption Include symmetric algorithms allowed by the subject Prompt user during enrollment Cryptography Note: italicized text refers to a configuration that has since been changed Key Storage Provider RSA Key Size 2048 Requests must use Microsoft Smart Card Key Storage Provider
Legacy Cryptographic Service Provider Algo determined by CSP Requests must use Microsoft Enhanced Cryptographic Provider v1.0
Security Authenticated users may read and enroll Admins can read, write, and enroll
I'm happy to answer any questions (within the realm of reason).
Update: I replicated those template settings with a new, longer, unique name, made sure it was published to the CA and waited the 20 minutes. It still isn't working.
Statistics: Posted by RadiatorMints — Fri Jan 19, 2018 4:51 pm