Yubico Forum https://forum.yubico.com/ |
|
PIV-auth not working on Win10 in domain (all other OS fine) https://forum.yubico.com/viewtopic.php?f=35&t=2502 |
Page 1 of 1 |
Author: | donald24 [ Tue Dec 13, 2016 11:42 pm ] |
Post subject: | PIV-auth not working on Win10 in domain (all other OS fine) |
Hi there, I have a serious hard time getting my Yubikey run as an auth device on my Win10 boxes. I setup everything in the PKI as it should, loaded the user key in the Yubikey and every logon (Win2012R2/Win8/Win7) works unless doing it from Win10. I can really sort things out like drivers because logging in from Win10 with RDP to any other device per smartcard works flawlessly. The only message, I am getting on the Win10 (x64, patched up to date), when signing in per Yubikey is: "Your smart card could not be used. Please contact.. blah" Eventviewer logs an error ONCE the device boots up in the app-events: Source: Smart Card Logon, Eventi-ID 7: Error signing a message with the plugged in smart card. An unexpected error has happened. This happens on two independent machines. I am lost now. Google seems not to find anything. Please help! Greetings! Don |
Author: | dnbrown [ Wed Dec 14, 2016 8:47 pm ] |
Post subject: | Re: PIV-auth not working on Win10 in domain (all other OS fi |
Donald, Sorry that you are having trouble with getting PIV to work on Win10. I am running a PIV Win10 environment without those issues. Looking through the forums I appears you are not the only one having the issue. One poster even said Yubico support is aware of a Microsoft issue that is causing this. I wish they would post and bring some light to this situation, or assist in figuring out why some are working fine and others aren't. Let me know if there is anything I can check in my environment to assist you. Danny |
Author: | DavidJW [ Mon Jan 09, 2017 2:35 am ] |
Post subject: | Re: PIV-auth not working on Win10 in domain (all other OS fi |
Danny, et all. I have the same issue as Donald reports. (i.e 'instant fail'). Error code 7 and Warning 623. Devices that fail are all Win10 Enterprise (x64), Version 1607, OS Build 14394.576. Fails (ethernet) network attached (same switch, vlan and subnet as the servers) , DirectAccess and (since no cache) offline. Works ok on Server 2012 R2 / Server 2016, console and RDP. YubiKey 4 set up and deployed as per the pdfs. Was enrolled using PIV manager (user self service) on the same machine. The DC / CA Servers sit on W2012 R2, fully patched. Things I plan to try this week: Test against other keys the PIV Manger can generate Test on earlier W10 builds (1511 and the original edition, 1507?) - not that I can roll back the production network but at least it helps isolate. Test on W8 and or 8.1 machines Any thoughts or hints are welcome. thanks, David |
Author: | DavidJW [ Fri Jan 13, 2017 9:49 am ] |
Post subject: | Re: PIV-auth not working on Win10 in domain (all other OS fi |
Further to my last, no further on. Changing the key type (within the confines of the minimum key size as described by the template) has no effect. Test on an first install and fully patched W10 1511 machine does not allow logins or unlocks W8.1 works as expected Unlocking a W2012 R2 Server or W2016 server fails over RDP, login works. All errors from the above are still Error 7. Whilst this may not be Yubikey's fault (they have no way to control changes Microsoft make) my immediate concern is the lack of comment. PIV/ Smartcard unlock is an advertised feature and whilst there are a number of moving parts (certificates etc etc) I am not seeing these errors with another test smart-card solution. Two reasons I am still investigating this a) the USB form factor is better, given our users are all supplied with laptops b) Others have reported they have a working set up. Out of ideas. David |
Author: | ulflundh [ Thu Jan 26, 2017 8:23 pm ] |
Post subject: | Re: PIV-auth not working on Win10 in domain (all other OS fi |
Yeah, have the same issues myself. Error Event ID 7. |
Author: | ulflundh [ Fri Jan 27, 2017 12:22 pm ] |
Post subject: | Re: PIV-auth not working on Win10 in domain (all other OS fi |
This is now working in Windows 10 build 15002 and later. Confirmed with a Yubikey 4. My findings with Windows 10 builds; 14393 (1607 stable):Not working , error 7 14986 (Insider Preview Slow ring):Not working, error 7 15002(Insider Preview Fast ring):Working!! |
Author: | DavidJW [ Fri Feb 17, 2017 3:53 pm ] |
Post subject: | Re: PIV-auth not working on Win10 in domain (all other OS fi |
Now confirmed working on Anniversary Update, fully patched (14393) as of today with a Microsoft HotPatch - KB3216755 As per the Yubikey quote from The Register article here: http://www.theregister.co.uk/2017/02/16/win10_anniversary_borks_smartcards/ Yubico "We have confirmation from Microsoft that a hotfix has been released on the Windows Update Catalog that should solve the Windows 10 smart card login issue with the YubiKey. We do not have a timeframe when this will be available as an automatic Windows Update but it is available for a manual download and installation. We’ve done testing in our lab environment and found this has indeed solved the issue." Link to the patch on Microsoft's catalogue is about halfway down the Registers article. David |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |