If you’re going the smart card route, you can change the management key from the default on the PIV application to prevent users from being able to accidentally overwrite corporate key material while giving them free reign on the OTP, OATH, FIDO, and OpenPGP applications.
In any case, you should probably open a support ticket. I’ve heard their technical support is superb
I didnt know this was an option. Thats interesting. I should have checked though, ive noticed they’ve been moving a lot/all of their new AD features into cloud only AD.
OK, so i’ve built a lab in HyperV and keep getting an issue that my Yubikey (plugged into the host) is “read only” from within the guest. I’m trying to do Active Directory PIV (certificate based) login setup.
Anyone using Yubikeys in this configuration? If its a limitation of Windows’. ability for pass-through of the device to a guest (only does it read only) that’s fair enough, i’ll need to start over with some real hardware. Otherwise I must be doing something wrong
Guests - All Server 2019: a DC, a CA and a server 2019 client just for testing
HyperV host - Windows 10 build 20h2
looks like hyperv only passes smart cards read only. which makes it pretty useless as a lab setup fo this. oh well. will bridge the vSwitch to another physical nic and plug in a physical machine to it to act as a client.
Confirming:
Hyper-V guests only get READ ONLY access to smart cards via the guest services offered by the host. I managed to onboard/prep a key and have it work with a physical client machine this morning.
So - you can log into a VM guest with an existing, prepared key but you can’t onboard a YubiKey from within a VM guest - at least with Hyper-V. KVM, VMware, YMMV.
So as of this morning, I’ve prepared a lab AD environment using PIV authentication. There were a few traps I encountered along the way:
If you set up your CA with cert cipher types or key lengths too long you can’t configure a smart card template as per YubiKey instructions.
Keys aren’t read/write in hyper-v guest as above
I’ll be preparing a change management req for work so if I remember I’ll list changes to AD required here as well.
OK, things you need to do, to get Yubikey PIV working:
get the PIV deployment guide for active directory “Yubikey Smart Card Deployment Guide”
have a PKI set up, if you do not have one, get that established first. for a lab, you can run through the MS CA installation wizard and just set up an AD integrated root CA (don’t bother with multi tier for lab). be sure to reference page 10 of the Yubikey guide and make sure to NOT exceed the supported certificate size or key length figures listed when configuring your CA, or you will not be able to deploy the cert template later.
Deploy the Yubikey mini driver to your machines that need local (OR RDP) login via key
Follow through page 13-14 of the document to duplicate and modify the default Windows CA template for Smartcard Logon
For test optional - configure auto-enrolment for user certificates in group policy. This is optional, for test, you can just enrol manually.
Page 15: PRIOR to deploying a cert to a key (at least for a production deployment) ensure you set and record PUK on the key with the Yubikey Manager in the PIV application section so that if your user forgets/nukes their pin you can help them reset it via PUK
Once you’ve onboarded a key and confirmed it works, you can change the user account setting in AD to “require smart card for interactive logon”. If you don’t the user will be able to use either password or key.
So, so far I have login working. Questions unanswered by the document with some answers some without answers:
Q. Can I have two yubikeys plugged in for say, a local account and an elevated (domain admin account) during normal use
A. Yes
Q. If I revoke a cert in AD, how do a re-enrol and re-deploy a new one? Will auto-enrolment re-enrol the user fairly automatically?
A. working on that
Q. What is the impact of setting up a management key in the PIV section
A. I’ve not yet messed with that.
Q. How do I delegate enrolment to IT staff for other users
A. there’s docs but I haven’t done it or read through it yet.
OK for PIV to work via Remote Desktop sessions, you need to install the mini driver with an additional setting to ensure the smart-card service is running on the remote machine even if a smart card is not physically plugged in.
msiexec.exe [name of mini driver MSI] INSTALL_LEGACY_NODE=1 /quiet
if you do not do this, RDP logins via a passed-through smart card will fail with an error the message escapes me. I’ll see if I can find it
Now, setup for FIDO2 on 365. You need to ensure that FIDO2 logins are enabled in your tenant. If the tenant is old this may not be the case, the setting is under:
this will enable an end user to self-on-board their key for FIDO2 in mysignins.microsoft.com
If your tenant was recently created, this setting is, I believe, enabled by default. At least it was in my test/personal tenant, but not in my work tenant.
The FIDO2 configuration can be used with an arbitrary number of sites. It won’t conflict with or wipe out PIV for on-prem as it uses different slot(s).
However, PIV (used for AD) is one setup per card.
So, if the end user attempts to set up key login on their Mac (for example), this also uses PIV and would wipe your AD PIV configuration out. So as per a post above, best set a PIV management key prior to deployment to end users.
Now where it gets tricky is if you’re in a hybrid situation like me.
PIV on Prem, will authenticate a user via SSO to 365
365 FIDO2 will grant access to the tenant, and (I think) some/most resources that support SSO on-prem
Windows can’t seem to renew an end user cert via the renewal process that pops up, but it works on my domain admin account.
a test user has made an error during setup and we’ve reset PIV on the key. I’ve revoked the cert, is there a way to make windows re-enroll a new PIV cert?
Sorry meant to mention, my problem is with PIV specifically. The windows PIV renewal process for non-privileged user fails because I think the yubikey is read only unless you elevate.
The cert renewed in the windows CA, is there any way to re-import it properly to my key?
Yes it’s read only unless you elevate by design and that’s how you make it secure. That’s how the US military operates. While we don’t use yubi yet The computer access card works the very same way with a piv certificate
The only people that can change it or update it for you or I select group in charge of the PKI. The even cooler thing is they don’t give them admin privileges they just give them a group policy exception privilege to elevate only for that reason to modify the computer access card
A similar type of implementation would be needed for these kinds of keys as well.
There’s no point to shorting out on security here because why would you shoot yourself in the foot like that when you have such a powerful device in terms of multi-factor hardware authentication
Assuming you are setting this up in a corporate environment you have a security team and that security team should be the only one that has to mess with any kinds of certificates The user itself should only need to read
The thing I don’t get is that the enrolment works. The key isn’t read only when the end user enrols it with PIV for the first time.
12 months later - Windows pops up the prompt that the cert needs to be renewed, and does the renewal but then can’t install it on the same key it installed it on a year ago.
AS I understand it the private key for this cert is generated on key - so it should be secure? I’m only trying to get the resultant cert back onto the key.
Not sure if that makes sense or not.
Either way:
What’s the path forward from here? reset the key and start over? It’s been working fine for the 12 months previous, but my cert expires on the key on the 28th.
Also, confirmed my non-domain admin account is a local computer admin… surely I don’t need to get the CA admin to renew a cert that windows tries to do automatically for an unprivileged end user of a key… that it originally set up automatically for the user?
I’ve opened a support ticket, will see what they say.
It looks like windows installed my new smart card certificate in the key management slot 9d in the PIV section. But didn’t put it in the authentication slot 9a.
Oh I understand you used PIV user self enrollments. Yeah okay so this isn’t unique to the yubikey. It’s actually why they’re military and a lot of enterprises don’t do self-enrollment PIV. The renewal process is kind of fucking broken. But please do let us know what the support ticket results in I hope it’s not the response I just gave you and that they have a workaround.
The military’s current workaround is to store the old certificate with its expiration date and have software auto selected when that’s the key needed. They make you a completely new key every 3 years no certs are left over or renewed
Sounds like it was configured incorrectly from the beginning. It’s near-impossible to know without actual error messages. Their support is pretty good though.
That’s for decrypting old messages, you always need a fresh non-expired cert to login/authenticate to systems.
