Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:56 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 14 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Wed Mar 22, 2017 7:17 pm 
Offline

Joined: Wed Jul 22, 2015 2:11 pm
Posts: 11
Hi all,

I'm using Yubikey NEO to store a custom personal SSL certificate in slot 9a. I use the certificate to authenticate against remote Windows machines for remote execution in PowerShell.

I have a PS workflow I'm working on and the usual behaviour is when I start the workflow, I get a popup dialogue asking me for the PIN and then the workflow carries on. The workflow does connect several times to the remote machine, but I used to get the PIN dialogue only once.

However, today I started getting the popup several times while the workflow is running. I tried reverting to yesterday's code, even though there were no changes that should affect this behaviour, with no luck.

I'm running Windows 10 Pro with the latest updates. I've tried rebooting the machine and using a different USB port.


EDIT: Minimal example to replicate the problem is to open a Powershell CIM session to a remote computer:
Code:
$option = New-CimSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck -UseSsl
$cert = gi Cert:\CurrentUser\My\XXXXXXXXXXXXXXXXXXXXXXXX
$s = New-CimSession -ComputerName machine.example.com -CertificateThumbprint $cert.Thumbprint -SessionOption $option

Running the last line for the first time pops up the PIN dialogue. Running the line again in the same Powershell window was not prompting for the PIN again. However, today I get the PIN dialogue every time - tested on two different Win10 Pro machines.

How could I determine what is causing the change in behaviour?

On a possibly unrelated note, PIN caching for my PGP keys works as expected.

Thank you,
Marko


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Mar 23, 2017 11:35 am 
Offline

Joined: Wed Jul 22, 2015 2:11 pm
Posts: 11
Just a quick follow up: I've tried the same scenario on a Win 8.1 machine and PIN caching works as expected. It looks like Windows 10 broke something in the last update.


Top
 Profile  
Reply with quote  
PostPosted: Thu Mar 23, 2017 7:08 pm 
Offline
Yubico Moderator
Yubico Moderator

Joined: Tue Jan 05, 2016 5:03 pm
Posts: 27
Hello Bozho,

Yes the latest Windows 10 Update KB4013418 is causing quite a few issues. you can read more at link below.
http://windowsreport.com/fix-windows-10-kb4013418-bugs/

Best Regards,
Matthew
Yubico Support


Top
 Profile  
Reply with quote  
PostPosted: Thu Mar 23, 2017 11:14 pm 
Offline

Joined: Wed Jul 22, 2015 2:11 pm
Posts: 11
Hi Matthew,

It would appear that it's not KB4013418, but one of these two: KB3150513, KB4015438.

I managed to revert to an earlier restore point on one system and uninstall these two updates on another and certificate PIN caching now works fine.

Marko


Top
 Profile  
Reply with quote  
PostPosted: Mon Apr 03, 2017 5:09 pm 
Offline

Joined: Mon Apr 03, 2017 4:53 pm
Posts: 5
Any news on this issue?

Uninstalling official Windows Updates can't be permanent solution for this issue ...

Chris


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 05, 2017 3:42 pm 
Offline

Joined: Wed Jul 22, 2015 2:11 pm
Posts: 11
No, I didn't have time to chase this up with Microsoft... I'm holding off on applying Windows updates for now.


Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 13, 2017 12:18 pm 
Offline

Joined: Mon Apr 03, 2017 4:53 pm
Posts: 5
The latest cumulative update for Windows 10 (April 2017 / KB4015217) doesn't fix PIN caching issue.

So currently the only workaround is to not install March/April 2017 updates :-(


On windowsreports.com they recommend to try a new and empty user profile. We're going to test that now.


Top
 Profile  
Reply with quote  
PostPosted: Tue May 02, 2017 5:53 pm 
Offline

Joined: Tue May 02, 2017 5:46 pm
Posts: 2
PIN caching is still broken with creating a fresh user profile, too. This is effecting every developer that I know which uses Windows 10 currently. Win10 is requesting PIN on every single signing request, which for programming is a lot. For instance, running a git submodule update could pull 10+ packages all at once, every single one requesting PIN now.

My current work around: coding on Windows 10, but doing all git operations through a Windows 7 virtual machine.


Top
 Profile  
Reply with quote  
PostPosted: Tue May 02, 2017 11:14 pm 
Offline

Joined: Mon Apr 03, 2017 4:53 pm
Posts: 5
I did some debugging on this issue but didn't find a solution.

- The issue was introduced by Windows Update KB3013429 (Released March 2017) which is included in every later cumulative Update.
- Removing any Windows Update 10 and installing KB3213986 (Released Jan 2017) fixes the issue, but is a security disaster.
- New Profile doesn't help
- Disabling PIN completly is not possible!?


I tried to install and configure OpenSC but either I did something wrong or it doesn't help.

I got an Yubico support response recommending to open a ticket with Microsoft.


Similar issue is mentioned on the web for others services including Citrix without solution:

Quote:
Before installing KB4013429 a client would be asked for their password just once when signing the soap request and each subsequent request to sign the soap request would not come up with a password box to reenter their credentials.
https://answers.microsoft.com/en-us/windows/forum/windows_10-update/update-kb4013429-causing-another-problem-with-our/e3cb3a00-020e-45ec-a838-41f94a231557

Quote:
The user enters the smart card PIN at the Receiver prompt but is returned back to the PIN prompt again without any failure message.
http://discussions.citrix.com/topic/385836-receiver-smart-card-login-direct-to-storefront-broken-on-windows-10-after-kb4013429-update


Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 23, 2017 11:26 am 
Offline

Joined: Wed Jul 22, 2015 2:11 pm
Posts: 11
Tested on the Creators update with the latest updates, still no luck (although I would expect security updates not to be tied to these "big" Windows feature updates)


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group