Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Unable to Launch Yubikey Manager Over Remote Desktop to a Windows Machine

Symptoms

When a user connects to a Windows machine and then subsequently attempts to launch the Yubikey manager, they may see the following error:

LoadLibrary failed with error 126: The specified module could not be found.

Cause

This issue is caused (most likely) due to an issue with the AMD video drivers that are present on the Windows machine and the Yubikey software.

Side note: this same issue is known to affect other software, such as AutoCAD. See https://knowledge.autodesk.com/support/autocad/troubleshooting/caas/sfdcarticles/sfdcarticles/LoadLibrary-failed-with-error-126-when-starting-an-Autodesk-product.html

Resolution

  1. Launch Device Manager (devmgmt.msc)
  2. Expand "Display adapters"
  3. Right click the dedicated video card that is present on the machine and click Disable
  4. Re-launch the Yubikey Manager app
  5. Once work is done, the video card can be re-enabled.

Note: This trick of disabling the video adapter seems to allow the Yubikey Manager app to function throughout the entirety of the remote session. If you disconnect and reconnect, it may be necessary to disable the video card again.


(top)

Unable to Connect to Windows Machine Via RDP with Yubikey

Symptoms

When a user connects to a Windows machine (server or client) via a non-domain joined machine (or a personal workstation) using their Yubikey, the connection will hang at "securing connection" and then result in an error stating:

An authentication error has occurred. The Kerberos protocol encountered an error while validating the DKC certificate during smartcard logon. There is more information in the system event log.


Remote computer: <someWorkstation>.ad.rit.edu




Additionally, looking at the System event log on the local workstation will result in an error:

Source: Security-Kerberos Text: The client has failed to validate the domain controller certificate for maindc<####>.main.ad.rit.edu. The following error was returned from the certificate validation process: A certificate chain could not be built to a trusted root authority.



Cause

This error is caused due to the local workstation lacking the RIT Root CA certificate on the workstation.


Resolution

  1. Navigate to https://certs.rit.edu on the local workstation
  2. Download the "RIT ROOT CA" certificate
  3. Install the certificate – it can either be placed in the Local Machine or Current User stores, but must explicitly be placed in the corresponding "Trusted Root Certificate Authority" store. Selecting the automatic option may cause the cert to be incorrectly placed in the Personal store.
  4. Attempt to connect to the remote workstation


Note: The combination of installing the RIT Root CA certificate, plugging in the Yubikey, and then connecting to the remote RIT workstation should automatically cause the "RIT AD Signing CA" to be installed in the "Intermediate Certification Authorities" store. If this does not occur, you can also obtain the RIT AD Signing CA certificate by downloading the "RIT Certificate Authorities - p7b Bundle" file from certs.rit.edu.

(top)

Certificates Missing When Attempting to Access Then on Yubikey

Symptoms

When a user attempts to interact with an application that requests their certificate (e.g. when connecting via RDP), one of the certificates that is (or should be) present for selection does not appear. For example, a yubikey that has certificates for ritchie and ritchie-admin may only present ritchie-admin, or vice versa.

Additionally:

  • Viewing the Yubikey manager → Applications → PIV → Configure Certificates shows that all certificates are present
  • Running ykman piv info from a command/powershell prompt properly shows all expected certificates
  • Running certutil -scinfo results in one or more certificates not displaying information (it will present a message indicating that no certificates were pulled from the slot)
  • When viewing the Certificate Manager (certmgr.msc) → Personal store, one or more certificates are missing from the list (e.g. in the example above, ritchie might be missing)
  • The above behavior persists when connected to a remote machine (in which case, you would have connected via a username/password)

Cause

Thus far, the current belief of the cause of the issue is that during certificate propagation (which occurs automatically when the yubikey is inserted), the actual certificate files stored on disk are somehow "locked". The cause of this lock is yet unknown, however, may be related to errors that can be observed in the System Event Log:

Smart Card Reader 'Yubico YubiKey OTP+FIDO+CCID 0' rejected IOCTL GET_ATTRIBUTE: The device does not recognize the command. If this error persists, your smart card or reader may not be functioning correctly.


Resolution

This error can be corrected by removing / deleting the certificate file on disk and then re-inserting the Yubikey.


The steps below require the user to know the thumbprint of the affected/missing certificate in question.

This can be obtained via several methods, including the X509 certificate that was initially issued by the CA when the yubikey was set up, or by running the command ykman certificates <slot number> <filename>.cer to generate a new X509 certificate for the affected slot.


  1. Unplug your Yubikey
  2. Navigate to C:\Users\<username>\appdata\roaming\Microsoft\SystemCertificates\My\Certificates
  3. Move the file corresponding with the thumbprint of the missing/affected certificate (this ultimately can be deleted, but for safety, it's best to start with moving it to another location)
  4. Plug the Yubikey back in
  5. This should automatically cause a new file to be written to disk
  6. Open the Certificate Manager (certmgr.msc) and navigate to the Personal store
  7. Confirm that the missing cert now appears
  8. Attempt to perform the initial transaction (e.g. connecting to RDP)


(top)

On This Page:

  • No labels