Potential Causes
-
The YubiKey was enrolled outside Windows' native enrollment tools and the computer has the YubiKey Smart Card Minidriver installed.
-
The certificate chain is not trusted.
-
The usage attributes on the certificate do not allow for smart card logon.
- The smart card certificate uses ECC.
- One or more domain controller(s) are missing certificates.
1. The YubiKey was enrolled outside Windows' native enrollment tools and the computer has the YubiKey Smart Card Minidriver installed
An incompatibility between YubiKeys enrolled using YubiKey PIV Manager (deprecated), yubico-piv-tool, or other 3rd party software and version 3.3 of the YubiKey Smart Card Minidriver can cause this error.
Testing
Note: This testing assumes you have a working and a non-working computer to test with on your domain.
-
In a Command Prompt window, run “certutil -scinfo” on both a working and non-working computer. If prompted, enter your smart card PIN.
-
Near the top of the output, look for “Card:”. If the card is listed as “NIST Identity …” on the working computer but “Yubikey … Smart Card” on the non-working, continue with these steps; otherwise this is not your issue and you should check the other potential causes.
-
On the non-working computer, check if the version of the YubiKey Smart Card Minidriver is installed.
Resolution Option 1
Upgrade the YubiKey Smart Card Minidriver to version 4.1 or higher and it will be able to correctly read certificates from YubiKeys enrolled using the PIV tools. You can download the latest version here.
Resolution Option 2
Uninstall the YubiKey Smart Card Minidriver. To do this, first install the Minidriver using one of the .MSI installers from this page (this will cleanly install the latest version, add an entry to Programs and Features which can be used to uninstall, etc.), then uninstall by following these instructions.
2. The Certificate Chain is not Trusted
If the root certificate or any intermediate certificates are not trusted by the computer you are logging in to, the end certificate will not be trusted and will give this error.
Testing
-
Open a Command Prompt window, and run “certutil -scinfo”. When prompted, enter your smart card PIN. Near the end of the process, you will receive a prompt showing the certificate that was read from the YubiKey. When you see this, press the “More details” option which will open a new window.
-
Switch to the “Certificate Path” tab.
-
Check the “Certificate Status” box at the bottom to see if it reports any issues with the certificate chain.
Resolution
Ensure that the root and all intermediate CAs are installed on each workstation on your network.
3. The Usage Attributes on the Certificate do not Allow for Smart Card Logon
If the certificate does not include Smart Card Logon as a usage, Windows will not allow it to be used for logon and the error will be shown.
Testing
-
Open a Command Prompt window, and run “certutil -scinfo”. When prompted, enter your smart card PIN. Near the end of the process, you will receive a prompt showing the certificate that was read from the YubiKey. When you see this, press the “More details” option which will open a new window.
-
On the General tab, look for “Smart Card Logon” under “This certificate is intended for the following purposes”. If it is not there, this is the cause of the issue.
Resolution
On your issuing certificate authority, update the certificate template to also include “Smart Card Logon” as an Application Policy under the Extensions tab. Then, enroll the YubiKey again using the updated template.
4. My certificate is using ECC
By default, Windows does not enumerate ECC-based certificates. If you've created your certificate using ECC, you will need to configure Windows to enumerate it either by manually creating the required Registry entries or making the changes via Group Policy Object (GPO).
Registry changes
-
Open regedit.exe as administrator and browse to HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider
-
Right Click > New DWORD: EnumerateECCCerts = 1
- Right Click > New DWORD: AllowCertificatesWithNoEKU = 1
Group Policy
For more information on editing Group Policy, refer to the Microsoft article here.
5. The Domain Controller(s) is missing certificates
If the domain controller the machine is attempting to authenticate against is missing the certificates based on the templates Kerberos Authentication and/or Domain Controller Authentication, this error message can occur.
Testing
-
Open a Command Prompt window, and run “certutil -dcinfo verify”. This will poll all available domain controllers and output the certificates on screen.
-
Scroll through the output or save it to a text file. Verify each domain controller has a certificate enrolled based on the template names above.
Resolution
Ensure that all domain controllers have the proper certificates enrolled for proper authentication.