| Yubico Forum https://forum.yubico.com/ |
|
| YubiKey 4 for PIV stopped working https://forum.yubico.com/viewtopic.php?f=23&t=2828 |
Page 1 of 1 |
| Author: | RadiatorMints [ Fri Jan 19, 2018 4:51 pm ] |
| Post subject: | YubiKey 4 for PIV stopped working |
Earlier this month I purchased one YubiKey 4 for a proof of concept for OTP login using a 3rd party solution. In the interest of compatibility and simplicity we chose to back down to PIV. I followed the deployment instructions and in a matter of nearly no time my YubiKey 4 was doing PIV smartcard login on domain computers. So I purchased the rest of the YubiKeys I needed for my users, implemented the Enroll on behalf of CA Template and that's when everything went completely sideways. Enroll on behalf of didn't seem to work at all, the template couldn't find the signature > no certificate on the YubiKey > cert enrollment failure on the CA. So I'm back to user self enrollment and I can get a certificate on a YubiKey. The PIV manager recognizes it, it's published in the Certificate Authority but any time I try to use it for login the endpoint says that "No valid certificates were found on this smart card." My original YubiKey and cert still works flawlessly. Changing out YubiKeys yields the same results (failure). I changed the name of the original template and recreated a new one from scratch with the following settings: General Validity period is 2 years Cert is published in AD Compatibility CA is Server 2016 Recipient is Windows 7 Request handling Signature and encryption Include symmetric algorithms allowed by the subject Prompt user during enrollment Cryptography Note: italicized text refers to a configuration that has since been changed Key Storage Provider RSA Key Size 2048 Requests must use Microsoft Smart Card Key Storage Provider Legacy Cryptographic Service Provider Algo determined by CSP Requests must use Microsoft Enhanced Cryptographic Provider v1.0 Security Authenticated users may read and enroll Admins can read, write, and enroll I'm happy to answer any questions (within the realm of reason). Update: I replicated those template settings with a new, longer, unique name, made sure it was published to the CA and waited the 20 minutes. It still isn't working. |
|
| Author: | RadiatorMints [ Mon Jan 22, 2018 8:20 pm ] |
| Post subject: | Re: YubiKey 4 for PIV stopped working |
Found rev B which has auto-enrollment stuff in it. https://www.yubico.com/wp-content/uploa ... 7_RevB.pdf Actions taken today (1/22/2018): Revoked all previous user certs except the one that works. Reissued the root domain cert and verified through cert chains that it is being used. Pushed all the auto-enrollment config via GPO and found it in the system tray. (Fails with a message about "Prohibited by Computer Policy" weather it's launched from the tray or certmgr) Added a brand new PC to the domain and logged in via the one working YubiKey 4 on the first boot with no configuration other than previously configured GPOs. EDIT: per the documentation under the Cryptography tab: Provider Category is now Key Storage Provider Algo is RSA, length is default: 2048 Provider is Microsoft Smart Card Key Storage Provider What am I missing? |
|
| Author: | JamesA [ Tue Jan 23, 2018 9:47 pm ] |
| Post subject: | Re: YubiKey 4 for PIV stopped working |
For enroll on behalf of (EOBO) you also need to set the publish and enroll in the "Enrollment Agent" template as covered in the Smart Card Deployment Guide. Regarding your issue with self-enrollment, please open a support ticket for further troubleshooting. https://www.yubico.com/support/get-support/ |
|
| Author: | RadiatorMints [ Tue Jan 23, 2018 10:02 pm ] |
| Post subject: | Re: YubiKey 4 for PIV stopped working |
JamesA wrote: For enroll on behalf of (EOBO) you also need to set the publish and enroll in the "Enrollment Agent" template as covered in the Smart Card Deployment Guide. Regarding your issue with self-enrollment, please open a support ticket for further troubleshooting. https://www.yubico.com/support/get-support/ The Enrollment Agent template was also published. I was able to pull the cert and get almost all the way through enrollment before it failed due to policy. Today I extinguished all doubt by troubleshooting the entire PKI stack with this guide: https://blogs.technet.microsoft.com/ask ... e-snap-in/ I ran RSOP.msc to see if there were any conflicts with GPOs but everything was configured the way I expected. I was still getting the 'blocked by computer policy' error so I disabled all of my computer GPOs and self enrollment worked. By turning things back on one at a time I determined that my Yubikey GPO was to blame. I believe it's one or both of my registry edits: BlockPUKOnMGMUpgrade or NewKeyTouchPolicy What I'm working backwards to understand is how the YubiKeys were getting the certificate installed in 9a -only with the PIV Manager- but weren't able to authenticate. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|