Yubico Forum https://forum.yubico.com/ |
|
[QUESTION] PIN caching for SSL certificates https://forum.yubico.com/viewtopic.php?f=26&t=2609 |
Page 1 of 2 |
Author: | bozho [ Wed Mar 22, 2017 7:17 pm ] |
Post subject: | [QUESTION] PIN caching for SSL certificates |
Hi all, I'm using Yubikey NEO to store a custom personal SSL certificate in slot 9a. I use the certificate to authenticate against remote Windows machines for remote execution in PowerShell. I have a PS workflow I'm working on and the usual behaviour is when I start the workflow, I get a popup dialogue asking me for the PIN and then the workflow carries on. The workflow does connect several times to the remote machine, but I used to get the PIN dialogue only once. However, today I started getting the popup several times while the workflow is running. I tried reverting to yesterday's code, even though there were no changes that should affect this behaviour, with no luck. I'm running Windows 10 Pro with the latest updates. I've tried rebooting the machine and using a different USB port. EDIT: Minimal example to replicate the problem is to open a Powershell CIM session to a remote computer: Code: $option = New-CimSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck -UseSsl $cert = gi Cert:\CurrentUser\My\XXXXXXXXXXXXXXXXXXXXXXXX $s = New-CimSession -ComputerName machine.example.com -CertificateThumbprint $cert.Thumbprint -SessionOption $option Running the last line for the first time pops up the PIN dialogue. Running the line again in the same Powershell window was not prompting for the PIN again. However, today I get the PIN dialogue every time - tested on two different Win10 Pro machines. How could I determine what is causing the change in behaviour? On a possibly unrelated note, PIN caching for my PGP keys works as expected. Thank you, Marko |
Author: | bozho [ Thu Mar 23, 2017 11:35 am ] |
Post subject: | Re: [QUESTION] PIN caching for SSL certificates |
Just a quick follow up: I've tried the same scenario on a Win 8.1 machine and PIN caching works as expected. It looks like Windows 10 broke something in the last update. |
Author: | mattlegitt [ Thu Mar 23, 2017 7:08 pm ] |
Post subject: | Re: [QUESTION] PIN caching for SSL certificates |
Hello Bozho, Yes the latest Windows 10 Update KB4013418 is causing quite a few issues. you can read more at link below. http://windowsreport.com/fix-windows-10-kb4013418-bugs/ Best Regards, Matthew Yubico Support |
Author: | bozho [ Thu Mar 23, 2017 11:14 pm ] |
Post subject: | Re: [QUESTION] PIN caching for SSL certificates |
Hi Matthew, It would appear that it's not KB4013418, but one of these two: KB3150513, KB4015438. I managed to revert to an earlier restore point on one system and uninstall these two updates on another and certificate PIN caching now works fine. Marko |
Author: | Chris77 [ Mon Apr 03, 2017 5:09 pm ] |
Post subject: | Re: [QUESTION] PIN caching for SSL certificates |
Any news on this issue? Uninstalling official Windows Updates can't be permanent solution for this issue ... Chris |
Author: | bozho [ Wed Apr 05, 2017 3:42 pm ] |
Post subject: | Re: [QUESTION] PIN caching for SSL certificates |
No, I didn't have time to chase this up with Microsoft... I'm holding off on applying Windows updates for now. |
Author: | Chris77 [ Thu Apr 13, 2017 12:18 pm ] |
Post subject: | Re: [QUESTION] PIN caching for SSL certificates |
The latest cumulative update for Windows 10 (April 2017 / KB4015217) doesn't fix PIN caching issue. So currently the only workaround is to not install March/April 2017 updates On windowsreports.com they recommend to try a new and empty user profile. We're going to test that now. |
Author: | DarkainMX [ Tue May 02, 2017 5:53 pm ] |
Post subject: | Re: [QUESTION] PIN caching for SSL certificates |
PIN caching is still broken with creating a fresh user profile, too. This is effecting every developer that I know which uses Windows 10 currently. Win10 is requesting PIN on every single signing request, which for programming is a lot. For instance, running a git submodule update could pull 10+ packages all at once, every single one requesting PIN now. My current work around: coding on Windows 10, but doing all git operations through a Windows 7 virtual machine. |
Author: | Chris77 [ Tue May 02, 2017 11:14 pm ] |
Post subject: | Re: [QUESTION] PIN caching for SSL certificates |
I did some debugging on this issue but didn't find a solution. - The issue was introduced by Windows Update KB3013429 (Released March 2017) which is included in every later cumulative Update. - Removing any Windows Update 10 and installing KB3213986 (Released Jan 2017) fixes the issue, but is a security disaster. - New Profile doesn't help - Disabling PIN completly is not possible!? I tried to install and configure OpenSC but either I did something wrong or it doesn't help. I got an Yubico support response recommending to open a ticket with Microsoft. Similar issue is mentioned on the web for others services including Citrix without solution: Quote: Before installing KB4013429 a client would be asked for their password just once when signing the soap request and each subsequent request to sign the soap request would not come up with a password box to reenter their credentials. https://answers.microsoft.com/en-us/windows/forum/windows_10-update/update-kb4013429-causing-another-problem-with-our/e3cb3a00-020e-45ec-a838-41f94a231557Quote: The user enters the smart card PIN at the Receiver prompt but is returned back to the PIN prompt again without any failure message. http://discussions.citrix.com/topic/385836-receiver-smart-card-login-direct-to-storefront-broken-on-windows-10-after-kb4013429-update
|
Author: | bozho [ Fri Jun 23, 2017 11:26 am ] |
Post subject: | Re: [QUESTION] PIN caching for SSL certificates |
Tested on the Creators update with the latest updates, still no luck (although I would expect security updates not to be tied to these "big" Windows feature updates) |
Page 1 of 2 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |