Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 8:44 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Fri Oct 31, 2014 10:38 pm 
Offline

Joined: Fri Oct 31, 2014 10:34 pm
Posts: 9
Hello all,

I have completed the instructions here: https://developers.yubico.com/yubico-pi ... icate.html

Everything was successful according to the command line utility. Used a copy of a template in Windows Certificate Services from my smart card logon template that works for my traditional smart cards.

However, RDP, Windows logon, etc all say that I do not have a valid certificate on my Yubikey. Please help!


Last edited by akatz0813 on Mon Nov 10, 2014 4:43 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Nov 03, 2014 10:03 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Hello,

there is a very large number of possible answers this this thread. Most probably something is wrong in your AD/WinServ configuration.

What server version are you using?

I have successfully tested it on Windows Server 2012 RC*

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Mon Nov 03, 2014 5:28 pm 
Offline

Joined: Fri Oct 31, 2014 10:34 pm
Posts: 9
Workstation is Windows 8.1. I have tried to authenticate against Windows Server 2012 and 2012 R2.

One likely possibility is the certificate template configured incorrectly, although I'm using the same exact template that I use for my HID Crescendo smart cards. What CSP do you have configured?


Top
 Profile  
Reply with quote  
PostPosted: Tue Nov 04, 2014 9:04 pm 
Offline

Joined: Tue Nov 04, 2014 8:31 pm
Posts: 2
Is it not that windows is expecting to find your credentials in the Subject Alternate Name (specifically your UPN)?

According to Microsoft the Subject field should contain a DN: "This field is a mandatory extension, but the population of this field is optional."

So, unless you've figured out a way to include a SAN I don't think this will work?


Top
 Profile  
Reply with quote  
PostPosted: Tue Nov 04, 2014 9:23 pm 
Offline

Joined: Tue Nov 04, 2014 8:31 pm
Posts: 2
Confirmed in my environment at least. As soon as you get the SAN loaded properly it works. I can now log into Windows using the cert. You can inject a SAN as a switch to the certreq command as follows:

certreq -submit -attrib "CertificateTemplate:templateToUse" -attrib "SAN:upn=user@domain&email=null@somewhere.com" .\request.csr cert.crt

Change the values as appropriate.


Top
 Profile  
Reply with quote  
PostPosted: Tue Nov 04, 2014 10:20 pm 
Offline

Joined: Fri Oct 31, 2014 10:34 pm
Posts: 9
The template on the Certificate Authority is configured to set the SAN. I also confirmed that the cer issued by the CA contains it. See screenshots


Attachments:
yubikey-ca2.PNG
yubikey-ca2.PNG [ 20.4 KiB | Viewed 3284 times ]
yubikey-ca.PNG
yubikey-ca.PNG [ 2.01 KiB | Viewed 3284 times ]
Top
 Profile  
Reply with quote  
PostPosted: Tue Nov 04, 2014 10:48 pm 
Offline

Joined: Fri Oct 31, 2014 10:34 pm
Posts: 9
What CSP are you allowing/specifying in your template? Thats the only thing I can think of that is different.


Top
 Profile  
Reply with quote  
PostPosted: Mon Nov 10, 2014 4:39 pm 
Offline

Joined: Fri Oct 31, 2014 10:34 pm
Posts: 9
Resolved my issue by running Set-Chuid with version 0.1.1. Clearly 0.1.0 had a bug.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group