Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:12 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Fri Jan 19, 2018 4:51 pm 
Offline

Joined: Fri Jan 19, 2018 4:20 pm
Posts: 3
Earlier this month I purchased one YubiKey 4 for a proof of concept for OTP login using a 3rd party solution. In the interest of compatibility and simplicity we chose to back down to PIV. I followed the deployment instructions and in a matter of nearly no time my YubiKey 4 was doing PIV smartcard login on domain computers.

So I purchased the rest of the YubiKeys I needed for my users, implemented the Enroll on behalf of CA Template and that's when everything went completely sideways. Enroll on behalf of didn't seem to work at all, the template couldn't find the signature > no certificate on the YubiKey > cert enrollment failure on the CA. So I'm back to user self enrollment and I can get a certificate on a YubiKey. The PIV manager recognizes it, it's published in the Certificate Authority but any time I try to use it for login the endpoint says that "No valid certificates were found on this smart card."

My original YubiKey and cert still works flawlessly. Changing out YubiKeys yields the same results (failure). I changed the name of the original template and recreated a new one from scratch with the following settings:

General
Validity period is 2 years
Cert is published in AD
Compatibility
CA is Server 2016
Recipient is Windows 7
Request handling
Signature and encryption
Include symmetric algorithms allowed by the subject
Prompt user during enrollment
Cryptography
Note: italicized text refers to a configuration that has since been changed
Key Storage Provider
RSA
Key Size 2048
Requests must use Microsoft Smart Card Key Storage Provider

Legacy Cryptographic Service Provider
Algo determined by CSP
Requests must use Microsoft Enhanced Cryptographic Provider v1.0


Security
Authenticated users may read and enroll
Admins can read, write, and enroll

I'm happy to answer any questions (within the realm of reason).

Update: I replicated those template settings with a new, longer, unique name, made sure it was published to the CA and waited the 20 minutes. It still isn't working.


Last edited by RadiatorMints on Mon Jan 22, 2018 8:55 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Jan 22, 2018 8:20 pm 
Offline

Joined: Fri Jan 19, 2018 4:20 pm
Posts: 3
Found rev B which has auto-enrollment stuff in it.
https://www.yubico.com/wp-content/uploa ... 7_RevB.pdf
Actions taken today (1/22/2018):
Revoked all previous user certs except the one that works.
Reissued the root domain cert and verified through cert chains that it is being used.
Pushed all the auto-enrollment config via GPO and found it in the system tray. (Fails with a message about "Prohibited by Computer Policy" weather it's launched from the tray or certmgr)
Added a brand new PC to the domain and logged in via the one working YubiKey 4 on the first boot with no configuration other than previously configured GPOs.

EDIT: per the documentation under the Cryptography tab:
Provider Category is now Key Storage Provider
Algo is RSA, length is default: 2048
Provider is Microsoft Smart Card Key Storage Provider

What am I missing?


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 23, 2018 9:47 pm 
Offline
Yubico Moderator
Yubico Moderator

Joined: Fri Nov 17, 2017 11:35 pm
Posts: 1
For enroll on behalf of (EOBO) you also need to set the publish and enroll in the "Enrollment Agent" template as covered in the Smart Card Deployment Guide.

Regarding your issue with self-enrollment, please open a support ticket for further troubleshooting. https://www.yubico.com/support/get-support/


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 23, 2018 10:02 pm 
Offline

Joined: Fri Jan 19, 2018 4:20 pm
Posts: 3
JamesA wrote:
For enroll on behalf of (EOBO) you also need to set the publish and enroll in the "Enrollment Agent" template as covered in the Smart Card Deployment Guide.

Regarding your issue with self-enrollment, please open a support ticket for further troubleshooting. https://www.yubico.com/support/get-support/


The Enrollment Agent template was also published. I was able to pull the cert and get almost all the way through enrollment before it failed due to policy.

Today I extinguished all doubt by troubleshooting the entire PKI stack with this guide:
https://blogs.technet.microsoft.com/ask ... e-snap-in/

I ran RSOP.msc to see if there were any conflicts with GPOs but everything was configured the way I expected.
I was still getting the 'blocked by computer policy' error so I disabled all of my computer GPOs and self enrollment worked. By turning things back on one at a time I determined that my Yubikey GPO was to blame. I believe it's one or both of my registry edits:

BlockPUKOnMGMUpgrade
or
NewKeyTouchPolicy

What I'm working backwards to understand is how the YubiKeys were getting the certificate installed in 9a -only with the PIV Manager- but weren't able to authenticate.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group