Yubikey PIV “智能卡无法执行请求的操作。”

Question

. Answers to this question are eligible for a +50 reputation bounty. Igal Flegmann wants to to this question.

I am trying to use a Yubikey to authenticate with Microsoft's AAD CBA however when I connect the Yubikey I get the error:

The Smart card cannot perform the requested operation or the operation requires a different smart card

To troubleshoot I have made sure the certificate is in the yubikey using Yubico's tool:

as well as verified that the yubikey smart card minidriver is installed in the PC's Device manager.

I did notice that also the Microsoft USbccid smartcard read was added to the device manager when the Yubikey was connected.

Any guidance if this is a driver issue or something else I should look at would be appreciated.

Edit: Following the troubleshooting of this page https://github.com/Yubico/yubikey-piv-manager/issues/24 I changed the yubikey registry keys to use msclmd.dll instead of the yubikey minidriver and was able was able to get certutil info to recognize the certificate. There

The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
  0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
---   Card: YubiKey Smart Card
---    ATR:
        3b fd 13 00 00 81 31 fe  15 80 73 c0 21 c0 57 59   ;.....1...s.!.WY
        75 62 69 4b 65 79 40                               ubiKey@

=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0
PS C:\Users\igalf> certutil -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
  0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
---   Card: YubiKey Smart Card
---    ATR:
        3b fd 13 00 00 81 31 fe  15 80 73 c0 21 c0 57 59   ;.....1...s.!.WY
        75 62 69 4b 65 79 40                               ubiKey@


=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
---   Card: YubiKey Smart Card
Provider = Microsoft Base Smart Card Crypto Provider
Key Container = (null) [Default Container]

Cannot open the AT_SIGNATURE key for reader: Yubico YubiKey OTP+FIDO+CCID 0
PS C:\Users\igalf> certutil -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
  0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
---   Card: YubiKey Smart Card
---    ATR:
        3b fd 13 00 00 81 31 fe  15 80 73 c0 21 c0 57 59   ;.....1...s.!.WY
        75 62 69 4b 65 79 40                               ubiKey@


=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
---   Card: YubiKey Smart Card
Provider = Microsoft Base Smart Card Crypto Provider
Key Container = 732e006f-1df6-434f-870d-ac7ad05fc105 [Default Container]

No AT_SIGNATURE key for reader: Yubico YubiKey OTP+FIDO+CCID 0
Serial Number: 2000000015eb9e5f830f3b8636000000000015
Issuer: CN=same-CA, DC=same, DC=domain
 NotBefore: 7/25/2022 11:47 AM
 NotAfter: 7/25/2023 11:47 AM
Subject: CN=me@codingflamingogmail.onmicrosoft.com
Non-root Certificate
Template: 1.3.6.1.4.1.311.21.8.12345975.15510245.10898846.1019471.8820641.108.11419149.7468723
Cert Hash(sha1): aae49e206c1fbcac5595e966bb806558317f0518

Performing AT_KEYEXCHANGE public key matching test...
Public key matching test succeeded
  Key Container = 732e006f-1df6-434f-870d-ac7ad05fc105
  Provider = Microsoft Base Smart Card Crypto Provider
  ProviderType = 1
  Flags = 1
    0x1 (1)
  KeySpec = 1 -- AT_KEYEXCHANGE
Private key verifies

Performing cert chain verification...
CertGetCertificateChain(dwErrorStatus) = 0x1000040
Chain on smart card is invalid
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=same-CA, DC=same, DC=domain
  NotBefore: 7/25/2022 11:47 AM
  NotAfter: 7/25/2023 11:47 AM
  Subject: CN=me@codingflamingogmail.onmicrosoft.com
  Serial: 2000000015eb9e5f830f3b8636000000000015
  SubjectAltName: Other Name:Principal Name=me@codingflamingogmail.onmicrosoft.com
  Template: 1.3.6.1.4.1.311.21.8.12345975.15510245.10898846.1019471.8820641.108.11419149.7468723
  Cert: aae49e206c1fbcac5595e966bb806558317f0518
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=same-CA, DC=same, DC=domain
  NotBefore: 7/23/2022 10:09 PM
  NotAfter: 7/23/2027 10:19 PM
  Subject: CN=same-CA, DC=same, DC=domain
  Serial: 22186ead3636cda04a63b3d2357bc2e7
  Cert: b64f289bdf0fe3bb54638a928a5e8c37f1418931
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  Chain: aae49e206c1fbcac5595e966bb806558317f0518
Full chain:
  Chain: 4be2869ed0c351f6686e3aaf16fd4f5d8b715a50
  Issuer: CN=same-CA, DC=same, DC=domain
  NotBefore: 7/25/2022 11:47 AM
  NotAfter: 7/25/2023 11:47 AM
  Subject: CN=me@codingflamingogmail.onmicrosoft.com
  Serial: 2000000015eb9e5f830f3b8636000000000015
  SubjectAltName: Other Name:Principal Name=me@codingflamingogmail.onmicrosoft.com
  Template: 1.3.6.1.4.1.311.21.8.12345975.15510245.10898846.1019471.8820641.108.11419149.7468723
  Cert: aae49e206c1fbcac5595e966bb806558317f0518
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
------------------------------------
Revocation check skipped -- server offline
Displayed AT_KEYEXCHANGE cert for reader: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
---   Card: YubiKey Smart Card
Provider = Microsoft Smart Card Key Storage Provider
Key Container = 36736414-a18e-4d23-add2-a9c7515fc105

Cannot open the  key for reader: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------

Done.
CertUtil: -SCInfo command completed successfully.

However as you can see it says that it cannot find the second certificate (idk what certificate is stored in that container since I am just using 9a). and I still get the same error with AAD CBA.

Answer 1

After Contacting Yubico Support it was discovered that this was caused by changing the Management Key. The Yubico Minidriver expects the management Key to be the default and it protects it with the PIN. Re-installing the minidriver and leaving the default management fixed the issue.