| Yubico Forum https://forum.yubico.com/ |
|
| [SOLVED] Unable to get PIV to work with Windows https://forum.yubico.com/viewtopic.php?f=26&t=1568 |
Page 1 of 1 |
| Author: | akatz0813 [ Fri Oct 31, 2014 10:38 pm ] |
| Post subject: | [SOLVED] Unable to get PIV to work with Windows |
Hello all, I have completed the instructions here: https://developers.yubico.com/yubico-pi ... icate.html Everything was successful according to the command line utility. Used a copy of a template in Windows Certificate Services from my smart card logon template that works for my traditional smart cards. However, RDP, Windows logon, etc all say that I do not have a valid certificate on my Yubikey. Please help! |
|
| Author: | Tom [ Mon Nov 03, 2014 10:03 am ] |
| Post subject: | Re: Unable to get PIV to work with Windows |
Hello, there is a very large number of possible answers this this thread. Most probably something is wrong in your AD/WinServ configuration. What server version are you using? I have successfully tested it on Windows Server 2012 RC* |
|
| Author: | akatz0813 [ Mon Nov 03, 2014 5:28 pm ] |
| Post subject: | Re: Unable to get PIV to work with Windows |
Workstation is Windows 8.1. I have tried to authenticate against Windows Server 2012 and 2012 R2. One likely possibility is the certificate template configured incorrectly, although I'm using the same exact template that I use for my HID Crescendo smart cards. What CSP do you have configured? |
|
| Author: | ordeneus [ Tue Nov 04, 2014 9:04 pm ] |
| Post subject: | Re: Unable to get PIV to work with Windows |
Is it not that windows is expecting to find your credentials in the Subject Alternate Name (specifically your UPN)? According to Microsoft the Subject field should contain a DN: "This field is a mandatory extension, but the population of this field is optional." So, unless you've figured out a way to include a SAN I don't think this will work? |
|
| Author: | ordeneus [ Tue Nov 04, 2014 9:23 pm ] |
| Post subject: | Re: Unable to get PIV to work with Windows |
Confirmed in my environment at least. As soon as you get the SAN loaded properly it works. I can now log into Windows using the cert. You can inject a SAN as a switch to the certreq command as follows: certreq -submit -attrib "CertificateTemplate:templateToUse" -attrib "SAN:upn=user@domain&email=null@somewhere.com" .\request.csr cert.crt Change the values as appropriate. |
|
| Author: | akatz0813 [ Tue Nov 04, 2014 10:20 pm ] | |||
| Post subject: | Re: Unable to get PIV to work with Windows | |||
The template on the Certificate Authority is configured to set the SAN. I also confirmed that the cer issued by the CA contains it. See screenshots
|
||||
| Author: | akatz0813 [ Tue Nov 04, 2014 10:48 pm ] |
| Post subject: | Re: Unable to get PIV to work with Windows |
What CSP are you allowing/specifying in your template? Thats the only thing I can think of that is different. |
|
| Author: | akatz0813 [ Mon Nov 10, 2014 4:39 pm ] |
| Post subject: | Re: Unable to get PIV to work with Windows |
Resolved my issue by running Set-Chuid with version 0.1.1. Clearly 0.1.0 had a bug. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|
