我正在尝试使用 Yubikey 与 Microsoft 的 AAD CBA 进行身份验证,但是当我连接 Yubikey 时出现错误:
为了排除故障,我已使用 Yubico 工具确保证书位于 yubikey 中:
并验证 yubikey 智能卡微型驱动程序已安装在 PC 的设备管理器中。
我确实注意到,当连接 Yubikey 时,Microsoft USbccid 智能卡读取也被添加到设备管理器中。
如果这是驱动程序问题或我应该查看的其他问题,请提供任何指导。
编辑: 按照本页的故障排除https://github.com/Yubico/yubikey-piv-manager/issues/24我更改了 yubikey 注册表项以使用 msclmd.dll 而不是 yubikey 微型驱动程序,并且能够获得certutil 信息来识别证书。那里
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
--- Card: YubiKey Smart Card
--- ATR:
3b fd 13 00 00 81 31 fe 15 80 73 c0 21 c0 57 59 ;.....1...s.!.WY
75 62 69 4b 65 79 40 ubiKey@
=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0
PS C:\Users\igalf> certutil -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
--- Card: YubiKey Smart Card
--- ATR:
3b fd 13 00 00 81 31 fe 15 80 73 c0 21 c0 57 59 ;.....1...s.!.WY
75 62 69 4b 65 79 40 ubiKey@
=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0
--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Card: YubiKey Smart Card
Provider = Microsoft Base Smart Card Crypto Provider
Key Container = (null) [Default Container]
Cannot open the AT_SIGNATURE key for reader: Yubico YubiKey OTP+FIDO+CCID 0
PS C:\Users\igalf> certutil -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
--- Card: YubiKey Smart Card
--- ATR:
3b fd 13 00 00 81 31 fe 15 80 73 c0 21 c0 57 59 ;.....1...s.!.WY
75 62 69 4b 65 79 40 ubiKey@
=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0
--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Card: YubiKey Smart Card
Provider = Microsoft Base Smart Card Crypto Provider
Key Container = 732e006f-1df6-434f-870d-ac7ad05fc105 [Default Container]
No AT_SIGNATURE key for reader: Yubico YubiKey OTP+FIDO+CCID 0
Serial Number: 2000000015eb9e5f830f3b8636000000000015
Issuer: CN=same-CA, DC=same, DC=domain
NotBefore: 7/25/2022 11:47 AM
NotAfter: 7/25/2023 11:47 AM
Subject: [email protected]
Non-root Certificate
Template: 1.3.6.1.4.1.311.21.8.12345975.15510245.10898846.1019471.8820641.108.11419149.7468723
Cert Hash(sha1): aae49e206c1fbcac5595e966bb806558317f0518
Performing AT_KEYEXCHANGE public key matching test...
Public key matching test succeeded
Key Container = 732e006f-1df6-434f-870d-ac7ad05fc105
Provider = Microsoft Base Smart Card Crypto Provider
ProviderType = 1
Flags = 1
0x1 (1)
KeySpec = 1 -- AT_KEYEXCHANGE
Private key verifies
Performing cert chain verification...
CertGetCertificateChain(dwErrorStatus) = 0x1000040
Chain on smart card is invalid
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=same-CA, DC=same, DC=domain
NotBefore: 7/25/2022 11:47 AM
NotAfter: 7/25/2023 11:47 AM
Subject: [email protected]
Serial: 2000000015eb9e5f830f3b8636000000000015
SubjectAltName: Other Name:Principal [email protected]
Template: 1.3.6.1.4.1.311.21.8.12345975.15510245.10898846.1019471.8820641.108.11419149.7468723
Cert: aae49e206c1fbcac5595e966bb806558317f0518
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=same-CA, DC=same, DC=domain
NotBefore: 7/23/2022 10:09 PM
NotAfter: 7/23/2027 10:19 PM
Subject: CN=same-CA, DC=same, DC=domain
Serial: 22186ead3636cda04a63b3d2357bc2e7
Cert: b64f289bdf0fe3bb54638a928a5e8c37f1418931
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
Chain: aae49e206c1fbcac5595e966bb806558317f0518
Full chain:
Chain: 4be2869ed0c351f6686e3aaf16fd4f5d8b715a50
Issuer: CN=same-CA, DC=same, DC=domain
NotBefore: 7/25/2022 11:47 AM
NotAfter: 7/25/2023 11:47 AM
Subject: [email protected]
Serial: 2000000015eb9e5f830f3b8636000000000015
SubjectAltName: Other Name:Principal [email protected]
Template: 1.3.6.1.4.1.311.21.8.12345975.15510245.10898846.1019471.8820641.108.11419149.7468723
Cert: aae49e206c1fbcac5595e966bb806558317f0518
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
------------------------------------
Revocation check skipped -- server offline
Displayed AT_KEYEXCHANGE cert for reader: Yubico YubiKey OTP+FIDO+CCID 0
--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Card: YubiKey Smart Card
Provider = Microsoft Smart Card Key Storage Provider
Key Container = 36736414-a18e-4d23-add2-a9c7515fc105
Cannot open the key for reader: Yubico YubiKey OTP+FIDO+CCID 0
--------------===========================--------------
Done.
CertUtil: -SCInfo command completed successfully.
但是,正如您所看到的,它表示找不到第二个证书(不知道该容器中存储了什么证书,因为我只使用 9a)。我在 AAD CBA 中仍然遇到同样的错误。
联系 Yubico 支持后发现这是由于更改管理密钥导致的。 Yubico Minidriver 希望管理密钥成为默认值,并使用 PIN 对其进行保护。重新安装微型驱动程序并保留默认管理解决了该问题。
我今天也遇到了同样的问题,已解决:
A。安装 Yubikey 迷你驱动程序。
b.重置 Yubikey PIV,执行证明过程,然后将正确的(!)
.der
文件导入 Yubikeycertmgr.msc
导航到“个人”>“证书”,如果出现则从那里删除证书。
(别担心,你的 Yubikey 上有它,记得吗?)问题解决了!!