Yubico Forum

Earlier this month I purchased one YubiKey 4 for a proof of concept for OTP login using a 3rd party solution. In the interest of compatibility and simplicity we chose to back down to PIV. I followed the deployment instructions and in a matter of nearly no time my YubiKey 4 was doing PIV smartcard login on domain computers.

So I purchased the rest of the YubiKeys I needed for my users, implemented the Enroll on behalf of CA Template and that's when everything went completely sideways. Enroll on behalf of didn't seem to work at all, the template couldn't find the signature > no certificate on the YubiKey > cert enrollment failure on the CA. So I'm back to user self enrollment and I can get a certificate on a YubiKey. The PIV manager recognizes it, it's published in the Certificate Authority but any time I try to use it for login the endpoint says that "No valid certificates were found on this smart card."

My original YubiKey and cert still works flawlessly. Changing out YubiKeys yields the same results (failure). I changed the name of the original template and recreated a new one from scratch with the following settings:

General
Validity period is 2 years
Cert is published in AD
Compatibility
CA is Server 2016
Recipient is Windows 7
Request handling
Signature and encryption
Include symmetric algorithms allowed by the subject
Prompt user during enrollment
Cryptography
Note: italicized text refers to a configuration that has since been changed
Key Storage Provider
RSA
Key Size 2048
Requests must use Microsoft Smart Card Key Storage Provider

Legacy Cryptographic Service Provider
Algo determined by CSP
Requests must use Microsoft Enhanced Cryptographic Provider v1.0

Security
Authenticated users may read and enroll
Admins can read, write, and enroll

I'm happy to answer any questions (within the realm of reason).

Update: I replicated those template settings with a new, longer, unique name, made sure it was published to the CA and waited the 20 minutes. It still isn't working.

Found rev B which has auto-enrollment stuff in it.
https://www.yubico.com/wp-content/uploa ... 7_RevB.pdf
Actions taken today (1/22/2018):
Revoked all previous user certs except the one that works.
Reissued the root domain cert and verified through cert chains that it is being used.
Pushed all the auto-enrollment config via GPO and found it in the system tray. (Fails with a message about "Prohibited by Computer Policy" weather it's launched from the tray or certmgr)
Added a brand new PC to the domain and logged in via the one working YubiKey 4 on the first boot with no configuration other than previously configured GPOs.

EDIT: per the documentation under the Cryptography tab:
Provider Category is now Key Storage Provider
Algo is RSA, length is default: 2048
Provider is Microsoft Smart Card Key Storage Provider

What am I missing?

For enroll on behalf of (EOBO) you also need to set the publish and enroll in the "Enrollment Agent" template as covered in the Smart Card Deployment Guide.

Regarding your issue with self-enrollment, please open a support ticket for further troubleshooting. https://www.yubico.com/support/get-support/

The Enrollment Agent template was also published. I was able to pull the cert and get almost all the way through enrollment before it failed due to policy.

Today I extinguished all doubt by troubleshooting the entire PKI stack with this guide:
https://blogs.technet.microsoft.com/ask ... e-snap-in/

I ran RSOP.msc to see if there were any conflicts with GPOs but everything was configured the way I expected.
I was still getting the 'blocked by computer policy' error so I disabled all of my computer GPOs and self enrollment worked. By turning things back on one at a time I determined that my Yubikey GPO was to blame. I believe it's one or both of my registry edits:

BlockPUKOnMGMUpgrade
or
NewKeyTouchPolicy

What I'm working backwards to understand is how the YubiKeys were getting the certificate installed in 9a -only with the PIV Manager- but weren't able to authenticate.