Yubico Forum

Hi all,

I'm using Yubikey NEO to store a custom personal SSL certificate in slot 9a. I use the certificate to authenticate against remote Windows machines for remote execution in PowerShell.

I have a PS workflow I'm working on and the usual behaviour is when I start the workflow, I get a popup dialogue asking me for the PIN and then the workflow carries on. The workflow does connect several times to the remote machine, but I used to get the PIN dialogue only once.

However, today I started getting the popup several times while the workflow is running. I tried reverting to yesterday's code, even though there were no changes that should affect this behaviour, with no luck.

I'm running Windows 10 Pro with the latest updates. I've tried rebooting the machine and using a different USB port.


EDIT: Minimal example to replicate the problem is to open a Powershell CIM session to a remote computer:

Running the last line for the first time pops up the PIN dialogue. Running the line again in the same Powershell window was not prompting for the PIN again. However, today I get the PIN dialogue every time - tested on two different Win10 Pro machines.

How could I determine what is causing the change in behaviour?

On a possibly unrelated note, PIN caching for my PGP keys works as expected.

Thank you,
Marko

Just a quick follow up: I've tried the same scenario on a Win 8.1 machine and PIN caching works as expected. It looks like Windows 10 broke something in the last update.

Hello Bozho,

Yes the latest Windows 10 Update KB4013418 is causing quite a few issues. you can read more at link below.
http://windowsreport.com/fix-windows-10-kb4013418-bugs/

Best Regards,
Matthew
Yubico Support

Hi Matthew,

It would appear that it's not KB4013418, but one of these two: KB3150513, KB4015438.

I managed to revert to an earlier restore point on one system and uninstall these two updates on another and certificate PIN caching now works fine.

Marko

Any news on this issue?

Uninstalling official Windows Updates can't be permanent solution for this issue ...

Chris

No, I didn't have time to chase this up with Microsoft... I'm holding off on applying Windows updates for now.

The latest cumulative update for Windows 10 (April 2017 / KB4015217) doesn't fix PIN caching issue.

So currently the only workaround is to not install March/April 2017 updates


On windowsreports.com they recommend to try a new and empty user profile. We're going to test that now.

PIN caching is still broken with creating a fresh user profile, too. This is effecting every developer that I know which uses Windows 10 currently. Win10 is requesting PIN on every single signing request, which for programming is a lot. For instance, running a git submodule update could pull 10+ packages all at once, every single one requesting PIN now.

My current work around: coding on Windows 10, but doing all git operations through a Windows 7 virtual machine.

I did some debugging on this issue but didn't find a solution.

- The issue was introduced by Windows Update KB3013429 (Released March 2017) which is included in every later cumulative Update.
- Removing any Windows Update 10 and installing KB3213986 (Released Jan 2017) fixes the issue, but is a security disaster.
- New Profile doesn't help
- Disabling PIN completly is not possible!?


I tried to install and configure OpenSC but either I did something wrong or it doesn't help.

I got an Yubico support response recommending to open a ticket with Microsoft.


Similar issue is mentioned on the web for others services including Citrix without solution:

https://answers.microsoft.com/en-us/windows/forum/windows_10-update/update-kb4013429-causing-another-problem-with-our/e3cb3a00-020e-45ec-a838-41f94a231557

http://discussions.citrix.com/topic/385836-receiver-smart-card-login-direct-to-storefront-broken-on-windows-10-after-kb4013429-update

Tested on the Creators update with the latest updates, still no luck (although I would expect security updates not to be tied to these "big" Windows feature updates)