Yubico Forum
https://forum.yubico.com/

[QUESTION] PIN caching for SSL certificates
https://forum.yubico.com/viewtopic.php?f=26&t=2609		 Page 2 of 2
Author:  DarkainMX [ Fri Oct 13, 2017 6:48 pm ]
Post subject:  Re: [QUESTION] PIN caching for SSL certificates
ITS FIXED!!! It is finally freaggin fixed!

Windows Update ran this week. Not sure which update specifically which update was applied. But when I went to open a PuTTY session today, I noticed that the pin key window was behaving normally (it popped up and took focus, rather than opening behind all other windows). So I gave it a try a second time, and PuTTY authenticated without asking for another prompt.

That only took... what... 7 months to fix!? Thanks Microsoft :P


UPDATE: It is KB4041676
https://support.microsoft.com/en-us/hel ... -kb4041676

Quote:
Addressed issue where Personal Identity Verification (PIV) smart card PINs are not cached on a per-application basis. This caused users to see the PIN prompt multiple times in a short time period; normally, the PIN prompt only displays once.
Author:  Chris77 [ Wed Oct 18, 2017 9:08 am ]
Post subject:  Re: [QUESTION] PIN caching for SSL certificates
I can confirm that it has been fixed. Endlich!
Author:  bozho [ Wed Oct 18, 2017 7:47 pm ]
Post subject:  Re: [QUESTION] PIN caching for SSL certificates
Well, it may have been fixed, but I can't test it as it actually stopped working for me.

I haven't tried remoting in a few weeks now and I was setting up a new machine. Today I went to test it and I can't get Windows to behave with my Yubikey.

So, nothing has changed with the Yubikey - it still has the same self-signed cert in the authentication slot. At first, I thought it's the new machine, but I've just checked with the old machine where this used to work and I get the same result.

In short, on the machine where it used to work, I performed these steps:
1. Delete the cert from Cert:\CurrentUser\My\ (it was there previously).
2. Plug in Yubikey - the certificate appears in the store.
3. Run the code from my original post - get the message along the lines "The smart card cannot perform this action.. ". I didn't get the entire message, because I can't repeat it (read on :)
4. Unplug Yubikey and delete the certificate again.
5. Plugin Yubikey - the certificate does not reappear in the certificate store. Rebooting doesn't help, cussing at it doesn't help.


I can't get it to work on the new machine, either (both machines run Win10 Pro with latest updates).

If I import the certificate from the PFX file and not use Yubikey, everything works as expected.

Is there something I need to do with Yubikey?
Author:  bozho [ Thu Oct 19, 2017 10:18 am ]
Post subject:  Re: [QUESTION] PIN caching for SSL certificates
Ah, this seems to be the cause: https://forum.yubico.com/viewtopic.php?f=26&t=2739
Page 2 of 2 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/