Yubico Forum
https://forum.yubico.com/

windows 10 1703 minidriver update breaks PIV
https://forum.yubico.com/viewtopic.php?f=26&t=2739
Page 1 of 4

Author:  gpacifico [ Tue Oct 03, 2017 8:54 am ]
Post subject:  windows 10 1703 minidriver update breaks PIV

Hello,
on Windows 10 CU (creators update) 1703 an auto update of the smart card minidriver has replaced the "Identity Device (NIST SP 800-73 [PIV])" with a "Yubikey smart card" breaking the smart card PIV functionality
I'm using putty-cac and the CAPI cert import is broken too.
The driver is on MS update catalog https://goo.gl/wZ1FNs. I've been trying to uninstall the update and use the yubikey, but it's not a solution.
Any suggestions?

Thanks in advance

Author:  mattlegitt [ Fri Oct 06, 2017 5:12 am ]
Post subject:  Re: windows 10 1703 minidriver update breaks PIV

Hello gpacifico,

With the YubiKey Smart Card driver, we've added increased functionality of the YubiKey within Windows. some of the new features is importing Smart Card certificates via the built-in Certificates MMC console. as well as the ability to manage the device PIN via Windows. here a few steps you can try. (1). check you have the latest version of PuTTY-CAC (https://github.com/NoMoreFood/putty-cac/releases). (2). update your saved Session under CAPI and reselect your certificate. (3). open device manager >> view>> Show hidden devices>>expand Smart cards>>Identity Device (NIST SP 800-73[PIV]) >> right click >> uninstall device

Best Regards,
Matthew
Yubico Support

Author:  modelnine [ Fri Oct 06, 2017 10:48 am ]
Post subject:  Re: windows 10 1703 minidriver update breaks PIV

mattlegitt wrote:
With the YubiKey Smart Card driver, we've added increased functionality of the YubiKey within Windows. some of the new features is importing Smart Card certificates via the built-in Certificates MMC console. as well as the ability to manage the device PIN via Windows. here a few steps you can try. (1). check you have the latest version of PuTTY-CAC (https://github.com/NoMoreFood/putty-cac/releases). (2). update your saved Session under CAPI and reselect your certificate. (3). open device manager >> view>> Show hidden devices>>expand Smart cards>>Identity Device (NIST SP 800-73[PIV]) >> right click >> uninstall device


Hello Matthew,

I am sorry to say that neither do I have a NIST-identity device after the driver update which I can uninstall, nor can Windows and/or the Certificates MMC console access the certificate on the token after the driver has been updated to be the "Yubikey Smart Card". Uninstalling the Yubico driver and letting Windows rediscover the USB device also does not allow access to the PIV storage on the token anymore, even though the device reappears as a NIST-PIV-Device. Is there anything we can do to help you diagnose the problem here, as it is severely affecting my ability to use the Yubikey-Token as 2F for SSL-Cert-Auth for websites, i.e. breaks it completely?

Author:  alexxx [ Fri Oct 06, 2017 10:12 pm ]
Post subject:  Re: windows 10 1703 minidriver update breaks PIV

I have the same problem. Authentication with PuttyCAC (CAPI) fails with "smart card cannot perform the requested operation". New certificates created in PIV manager are not added to certificate store. I had to reconfigure PuttyCAC to use OpenSC PKCS11 plugin as a workaround but looks like the new driver broke CAPI support completely.

Author:  mattlegitt [ Fri Oct 06, 2017 10:17 pm ]
Post subject:  Re: windows 10 1703 minidriver update breaks PIV

Hello modelnine,

Can you open a support ticket so we can assist you further?

https://www.yubico.com/support/get-support/

Best Regards,
Matthew
Yubico Support

Author:  modelnine [ Mon Oct 09, 2017 4:32 pm ]
Post subject:  Re: windows 10 1703 minidriver update breaks PIV

mattlegitt wrote:
Can you open a support ticket so we can assist you further?


Hello Matthew,

I've opened a ticket and am eagerly awaiting the reply, but really urge you to pull the driver update for now, as it seems to be breaking the Windows Crypto API access to the YubiKey PIV application completely (at least in some environments, possibly related to locale? I'm german), and there's no way to work around this once the updated driver has been installed. For many applications, it's simply not possible to switch to OpenSC or similar, so I'm now locked out of services due to the YubiKey not being usable for SSL-client-cert-auth anymore.

Thank you for prioritizing this, and hope to hear of you soon!

Author:  SADev [ Thu Oct 12, 2017 6:20 pm ]
Post subject:  Re: windows 10 1703 minidriver update breaks PIV

I am also having an issue with PIV login against AD since applying the update.

Uninstalling the Yubikey Smart Card driver and setting the smart card driver to the NIST one still doesn't seem to fix it on Windows 10.

Edit: Not sure if this is relevant, but passing the smart card over an RDP session has the card working in that session.

Author:  mainpony [ Fri Oct 13, 2017 5:46 pm ]
Post subject:  Re: windows 10 1703 minidriver update breaks PIV

Spent five hours fighting this problem before encountering this thread. Same issue with Yubikey 4 on Windows 10, everything was working yesterday, all certs gone (in Windows's opinion) today. certutil -scinfo and certutil -scdump show the card as empty, no amount of reinstalling devices, rolling back drivers or clearing caches seems to help. Seems like the Smart Card CSP has cached the card's (broken) contents in some completely undocumented location.

Another Windows 10 machine (usually not turned on) still works fine, and yubico-piv-tool shows certs present, so this appears to be a Windows-side problem. Support ticket opened now.

edit: Yubico support replied that a Microsoft update related related to the recent Infineon TPM bug is the cause and that they are "working with Microsoft." (data point: the Windows 10 machine where PIV broke has a vulnerable TPM, but the one that's still working has no TPM.)

Author:  Sas [ Mon Oct 16, 2017 6:56 pm ]
Post subject:  Re: windows 10 1703 minidriver update breaks PIV

We are experiencing the exact same problem with Yubikey 4 that provisioned using piv-tools. After Windows 10 automatically update drivers, it no longer sees the Certificate on the Yubikeys anymore.
Uninstalling driver from "Device Manager" AND "Programs and Features" makes card work again.
We are in such a big trouble as we just performed mass deployment of the Yubikey PIV based authentication.

Yubico, any way to revoke this driver from automatic Windows Update?

Author:  mainpony [ Mon Oct 16, 2017 9:17 pm ]
Post subject:  Re: windows 10 1703 minidriver update breaks PIV

I tried uninstalling from both and got somewhat different errors, though still no functionality. Maybe reboot/set-chuid would help, but with the broken driver being pushed from Windows Update messing with this is a bit dispiriting. (Since I had archived keys I just imported them onto a VSC as a stopgap measure.)

The nasty thing is that Yubico is probably up to their necks (at minimum) in shit at the moment with the Infineon catastrophe unfolding, so who knows when there will be fixes…

Page 1 of 4 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/