Yubico Forum
https://forum.yubico.com/

[SOLVED] Cannot configure Y4s for challenge-response
https://forum.yubico.com/viewtopic.php?f=35&t=2385		 Page 1 of 1
Author:  peteywheatstraw [ Thu Aug 04, 2016 3:12 am ]
Post subject:  [SOLVED] Cannot configure Y4s for challenge-response
I bought 3 Y4s from Yubico via Amazon to use with Password Safe. I'm following these instructions to configure Challenge-Response using HMAC-SHA1. I'm on Windows 10 build 10.0.10586 (have not yet installed the Anniversary Update) logged in as an Administrator. Firmware on all 3 keys is 4.3.1.

The Problem:
  • The personalization tool reports that the YubiKey has been successfully configured, but following this, all 3 YubiKeys fail the Challenge-Response Tester with the message:
    Quote:
    Challenge response could not be performed. Perhaps the YubiKey is not configured for challenge response?
  • The YubiKeys also do not output anything to notepad when I press the gold button.
  • Password Safe does not detect the YubiKey.

Troubleshooting steps I've tried so far:
  1. Different USB ports / different machines: This issue occurs on all the USB ports on the machine as well as on another machine.
  2. I have followed the steps here (removing entries from the device manager, updating Intel drivers, etc.) on both machines with no improvements although I stopped short at reinstalling the entire OS since these are clean installs from about a week ago.
  3. I tried configuring the YubiKey for OTP challenge-response, same problem.
  4. I configured the YubiKey to emit a static password like "test123" and verified that it will output this to Notepad.

Misc. notes:
  • When I first plug in the devices, the "y" on the button lights up, but then subsequently goes out. It does not light up when I press the button.
  • My existing Yubikey (a few years old) running firmware version 2.4.2 functions perfectly on this system.

Does anyone have any ideas? Is it possible I simply got a bad batch of keys and should exchange them?
Thanks in advance for any help!
Author:  ChrisHalos [ Thu Aug 04, 2016 6:16 am ]
Post subject:  Re: [HELP] Cannot configure Y4s for challenge-response
Can you post a screenshot of the Personalization Tool (you can obscure the serial number if you want)? Also, a screenshot of Devices and Printers? Any unusual entries in Device Manager? How about the Password Safe version?

If you have Google Chrome installed, can you also run the U2F test at demo.yubico.com/u2f, and confirm if:

(1) the LED starts blinking, and if so
(2) tapping the button results in a successful U2F action, or if the LED continues to flash

I'm using a 4.3.1 YubiKey 4 on a Windows 7 and a Windows 10 laptop primarily, and I haven't seen any strange issues on it.

Older versions of Password Safe won't recognize the U2F enabled YubiKeys, so you would either have to disable U2F mode, or update Password Safe (I'm assuming you're up-to-date since this is a new install, but just checking). We also saw very strange issues on an earlier build of Windows 10, but we are having good luck with the version you're on (1511).

I assume you programmed the Challenge-Response credential to Slot 2, with "require user input" selected? And also used the Challenge-Response tested with Slot 2 / HMAC-SHA1?
Author:  peteywheatstraw [ Thu Aug 04, 2016 6:54 pm ]
Post subject:  Re: [HELP] Cannot configure Y4s for challenge-response
Issue is solved, turned out to be 2 simple PEBKEC issues:
  1. When I did my clean installs I simply reinstalled all of my programs from a thumb drive, including an old version of Password Safe, assuming that they would update themselves on first run; however, PS is not self-updating (user has to go to Help->About a click a link to get it to check for updates or simply stay on top of PS news).
  2. I realized that the Challenge-Response Tester requires you to touch the gold button on the YubiKey during testing in order to supply the response.

So, I can report that the YubiKeys functioned normally in all tests, and that they work fine in the current version of Password Safe, which as of this post is V3.39.01.

Two remaining questions:
  • You mentioned using Slot 2 -- is there a reason to use this instead of Slot 1 for this application?
  • When I created the new Password Safe, PS reported that the Yubikey was not "initialized" but Google turns up zero meaningful results about "Yubikey initialization." Any idea what this means?

In any case, thank you very much for your help!
Author:  ChrisHalos [ Fri Aug 05, 2016 1:05 am ]
Post subject:  Re: [SOLVED] Cannot configure Y4s for challenge-response
Awesome!

Q1 - Yubico OTP is programmed by default on every YubiKey, so slot 2 is always blank when you receive a new YubiKey. That's why we've always done Challenge-Response in slot 2. I know the Windows Login Tool doesn't allow using a different slot for it. I think Password Safe and KeePass both might, but I could be misremembering.

Q2 - Could you load a screenshot to imgur or somewhere? I'm not sure I've seen this before. I assume you already finished registering? (https://www.yubico.com/why-yubico/for-i ... word-safe/)
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/