Yubikey PIV“智能卡无法执行请求的操作。

Question

我试图使用一个Yubikey来使用微软的AAD CBA进行身份验证，但是当我连接Yubikey时，我得到了一个错误：

智能卡无法执行所请求的操作，或者操作需要不同的智能卡。

要排除故障，我已经使用Yubico的工具确保证书在yubikey中：

​

同时也验证了yubikey智能卡minidriver安装在PC的设备管理器中。

​

我确实注意到，在连接Yubikey时，还向设备管理器添加了Microsoft USbccid智能卡读取。

任何指导，如果这是一个司机问题或其他东西，我应该看看，将不胜感激。

编辑:在此页面的https://github.com/Yubico/yubikey-piv-manager/issues/24故障排除之后，我将yubikey注册表项更改为使用msclmd.dll而不是yubikey，并且能够获得certutil来识别证书。那里

The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
  0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
---   Card: YubiKey Smart Card
---    ATR:
        3b fd 13 00 00 81 31 fe  15 80 73 c0 21 c0 57 59   ;.....1...s.!.WY
        75 62 69 4b 65 79 40                               ubiKey@

=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0
PS C:\Users\igalf> certutil -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
  0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
---   Card: YubiKey Smart Card
---    ATR:
        3b fd 13 00 00 81 31 fe  15 80 73 c0 21 c0 57 59   ;.....1...s.!.WY
        75 62 69 4b 65 79 40                               ubiKey@


=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
---   Card: YubiKey Smart Card
Provider = Microsoft Base Smart Card Crypto Provider
Key Container = (null) [Default Container]

Cannot open the AT_SIGNATURE key for reader: Yubico YubiKey OTP+FIDO+CCID 0
PS C:\Users\igalf> certutil -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
  0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
---   Card: YubiKey Smart Card
---    ATR:
        3b fd 13 00 00 81 31 fe  15 80 73 c0 21 c0 57 59   ;.....1...s.!.WY
        75 62 69 4b 65 79 40                               ubiKey@


=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
---   Card: YubiKey Smart Card
Provider = Microsoft Base Smart Card Crypto Provider
Key Container = 732e006f-1df6-434f-870d-ac7ad05fc105 [Default Container]

No AT_SIGNATURE key for reader: Yubico YubiKey OTP+FIDO+CCID 0
Serial Number: 2000000015eb9e5f830f3b8636000000000015
Issuer: CN=same-CA, DC=same, DC=domain
 NotBefore: 7/25/2022 11:47 AM
 NotAfter: 7/25/2023 11:47 AM
Subject: CN=me@codingflamingogmail.onmicrosoft.com
Non-root Certificate
Template: 1.3.6.1.4.1.311.21.8.12345975.15510245.10898846.1019471.8820641.108.11419149.7468723
Cert Hash(sha1): aae49e206c1fbcac5595e966bb806558317f0518

Performing AT_KEYEXCHANGE public key matching test...
Public key matching test succeeded
  Key Container = 732e006f-1df6-434f-870d-ac7ad05fc105
  Provider = Microsoft Base Smart Card Crypto Provider
  ProviderType = 1
  Flags = 1
    0x1 (1)
  KeySpec = 1 -- AT_KEYEXCHANGE
Private key verifies

Performing cert chain verification...
CertGetCertificateChain(dwErrorStatus) = 0x1000040
Chain on smart card is invalid
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=same-CA, DC=same, DC=domain
  NotBefore: 7/25/2022 11:47 AM
  NotAfter: 7/25/2023 11:47 AM
  Subject: CN=me@codingflamingogmail.onmicrosoft.com
  Serial: 2000000015eb9e5f830f3b8636000000000015
  SubjectAltName: Other Name:Principal Name=me@codingflamingogmail.onmicrosoft.com
  Template: 1.3.6.1.4.1.311.21.8.12345975.15510245.10898846.1019471.8820641.108.11419149.7468723
  Cert: aae49e206c1fbcac5595e966bb806558317f0518
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=same-CA, DC=same, DC=domain
  NotBefore: 7/23/2022 10:09 PM
  NotAfter: 7/23/2027 10:19 PM
  Subject: CN=same-CA, DC=same, DC=domain
  Serial: 22186ead3636cda04a63b3d2357bc2e7
  Cert: b64f289bdf0fe3bb54638a928a5e8c37f1418931
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  Chain: aae49e206c1fbcac5595e966bb806558317f0518
Full chain:
  Chain: 4be2869ed0c351f6686e3aaf16fd4f5d8b715a50
  Issuer: CN=same-CA, DC=same, DC=domain
  NotBefore: 7/25/2022 11:47 AM
  NotAfter: 7/25/2023 11:47 AM
  Subject: CN=me@codingflamingogmail.onmicrosoft.com
  Serial: 2000000015eb9e5f830f3b8636000000000015
  SubjectAltName: Other Name:Principal Name=me@codingflamingogmail.onmicrosoft.com
  Template: 1.3.6.1.4.1.311.21.8.12345975.15510245.10898846.1019471.8820641.108.11419149.7468723
  Cert: aae49e206c1fbcac5595e966bb806558317f0518
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
------------------------------------
Revocation check skipped -- server offline
Displayed AT_KEYEXCHANGE cert for reader: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
---   Card: YubiKey Smart Card
Provider = Microsoft Smart Card Key Storage Provider
Key Container = 36736414-a18e-4d23-add2-a9c7515fc105

Cannot open the  key for reader: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------

Done.
CertUtil: -SCInfo command completed successfully.

但是，正如您所看到的，它说它找不到第二个证书(因为我只是在使用9a)，所以它无法找到存储在该容器中的证书。我和AAD CBA仍然有同样的错误。

Answer 1

在与Yubico支持部门联系后，发现这是由于更改了Management密钥造成的。期望管理密钥是默认的，并使用PIN保护它。重新安装迷你河并让默认管理解决这个问题。