Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 9:11 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Mon May 11, 2015 7:09 pm 
Offline

Joined: Mon May 11, 2015 6:58 pm
Posts: 5
I have received a Yubikey NEO to pilot a deployment for admin accounts in an Active Directory domain. I was hoping I could deploy these with minimal installation of additional software on users' machines.

ADCS provides a URL, https://certificateauthority.domain.int/CertSrv, where users can enroll, using their AD credentials, for certificates. Smart card functionality is included here. I have enabled CCID on the NEO, yet when it comes time to enroll for a certificate, Windows reports that my NEO is read-only. I have used the PIV manager to reset the PIN and management PIN but don't seem to see an option to unlock it so that Windows' native Smart Card services can enroll for a new smart card cert.

Am I missing something?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue May 12, 2015 9:28 am 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
https://developers.yubico.com/PIV/Introduction/

https://developers.yubico.com/PIV/Tools ... nager.html

https://developers.yubico.com/yubico-pi ... icate.html


Top
 Profile  
Reply with quote  
PostPosted: Tue May 12, 2015 7:02 pm 
Offline

Joined: Mon May 11, 2015 6:58 pm
Posts: 5
Thanks. I had seen this before (which is how I managed to change the PIN), and it certainly provides sufficient information for me to import a Windows certificate, but I was hoping that users would be able to do this themselves without any additional software. I apologize for not knowing the names of the subsystems involved, but with previous smart cards, users could go to the web interface on our issuing CA and request a smart card certificate. Their inserted smart card would show up, and they'd have to enter their PIN (Or administrator PIN) to enroll and get the private keys loaded on their smart card. With the Yuibkey, I get the popup shown in the attached file.


Attachments:
2015-05-12 13_56_44-Microsoft Active Directory Certificate Services.png
2015-05-12 13_56_44-Microsoft Active Directory Certificate Services.png [ 28.2 KiB | Viewed 3154 times ]
Top
 Profile  
Reply with quote  
PostPosted: Wed May 13, 2015 9:09 am 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
OpenSC does not support CMC format.

For self- enrollment use the PIV MANAGER GUI. It is extremely simple and you can edit the guy to leave just 1 button and rename it "give me a smartcard i don't know what I am doing"

I assume you have a workstation where the user goes and self-enroll right ? just have him insert the NEO and use the PIV MANAGER GUI.


Top
 Profile  
Reply with quote  
PostPosted: Mon Jun 15, 2015 6:52 pm 
Offline

Joined: Mon May 11, 2015 6:58 pm
Posts: 5
Tom2 wrote:
OpenSC does not support CMC format.


Selecting PKCS didn't make a difference.

Quote:
For self- enrollment use the PIV MANAGER GUI.

This ended up working, just ran into trouble initially because I was using the Display Name and not the internal name of the certificate template.

Quote:
you can edit the guy to leave just 1 button and rename it "give me a smartcard i don't know what I am doing"

I assume editing the GUI is an appdev activity? I am just a lowly server engineer. :-)

Quote:
I assume you have a workstation where the user goes and self-enroll right ? just have him insert the NEO and use the PIV MANAGER GUI.

Not today. We're still trying to determine how this process is going to work out.

Thanks Tom2, you did provide useful information and I think I can at least write up documentation on using PIV Manager.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group