The smart card cannot peform the requested operation or the operation requires a different smart card
dniasoff opened this issue · 11 comments
This is probably similar to #12
But when I try to login, I typically have to click ok on a few popups containing the above message before WinCryptSSHAgent will present the correct key.
I keep deleting the invalid certs from my user certificate store but they magically reappear???
Incredible software by the way. I have struggled over the years with windows, ssh-agent and wsl and this is the first solution that JUST WORKS!!!!
do you also get this when executing certutil.exe -scinfo?
I do.
Judging from your screenshot you are on windows 11 as well as me.
This is my output from the above command
C:\Users\daniel>certutil.exe -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Status: The card is available for use.
--- Card: YubiKey Smart Card
--- ATR:
3b fd 13 00 00 81 31 fe 15 80 73 c0 21 c0 57 59 ;.....1...s.!.WY
75 62 69 4b 65 79 40 ubiKey@
=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0
Microsoft Base Smart Card Crypto Provider: Missing stored keyset
--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Card: YubiKey Smart Card
Provider = Microsoft Smart Card Key Storage Provider
Key Container = XXXXXXXXXXXXXXXXXXXXX
Serial Number: XXXXXXXXXXXXXXXXXXXXX
Issuer: XXXXXXXXXXXXXXXXXXXXX
NotBefore: 07/11/2021 15:00
NotAfter: 20/10/2023 15:00
Subject: XXXXXXXXXXXXXXXXXXXXX
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): XXXXXXXXXXXXXXXXXXXXX
Performing public key matching test...
Public key matching test succeeded
Key Container = XXXXXXXXXXXXXXXXXXXXX
Provider = Microsoft Smart Card Key Storage Provider
ProviderType = 0
Flags = 1
0x1 (1)
KeySpec = 0 -- XCN_AT_NONE
Private key verifies
Microsoft Smart Card Key Storage Provider: KeySpec=0
AES256+RSAES_OAEP(ECC:CNG) test skipped
Performing cert chain verification...
CertGetCertificateChain(dwErrorStatus) = 0x20
Chain on smart card is invalid
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=20
Issuer: XXXXXXXXXXXXXXXXXXXXX
NotBefore: 07/11/2021 15:00
NotAfter: 20/10/2023 15:00
Subject: XXXXXXXXXXXXXXXXXXXXX
Serial: XXXXXXXXXXXXXXXXXXXXX
Cert: XXXXXXXXXXXXXXXXXXXXX
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
Exclude leaf cert:
Chain: XXXXXXXXXXXXXXXXXXXXX
Full chain:
Chain: XXXXXXXXXXXXXXXXXXXXX
Issuer: XXXXXXXXXXXXXXXXXXXXX
NotBefore: 07/11/2021 15:00
NotAfter: 20/10/2023 15:00
Subject: XXXXXXXXXXXXXXXXXXXXX
Serial: XXXXXXXXXXXXXXXXXXXXX
Cert: XXXXXXXXXXXXXXXXXXXXX
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)
------------------------------------
Verifies against UNTRUSTED root
Displayed cert for reader: Yubico YubiKey OTP+FIDO+CCID 0
--------------===========================--------------
CertUtil: -SCInfo command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist
And I am getting the issue alot now. The command pops up a prompt to view certificate like below and that's when I get the error CertUtil: -SCInfo command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET) CertUtil: Keyset does not exist
Getting it every time I use it and would love a fix pleeeeeease
this is what I see on certinfo
yep. annoying. i've moved to using a normal cert with classic passphrase until this issue is resolved.
my yubikey works fine on linux using this method.
@buptczq Any chance you can address this? it is getting a real pain? Perhaps someway of selecting the card to present to windows instead of allowing it to see all certs/cards? Would really appreciate it and it would improve my efficiency and quality of life dramatically.
Happy to help in any way I can but I don't write in go currently
I have the same issue and would also appreciate a creative solution. Would unloading certain keys be an option? WinSCP won‘t connect with more than one certificate available. Unfortunately it checks the incorrect ones first and stops connecting.
I have found a workaround for my problem. Certificates are created when you RDP into a machine so that you can use a smartcard over RDP remotely and when you disconnect, the certificate remains in the user's personal store which confuses Wincrypt. Removing that certificate manually prevents the pop-up.
Also windows hello for business supports smart-card enumeration which also confuses WinCrypt. Disabling Windows hello smart card enumeration should resolve this
Computer Configuration/Administrative Templates/Windows Components/Windows Hello for Business.
I found that in one case that wasn't enough and I also had to disable the specific cert in Users/Personal store (later on the cert disappeared so it might just take time)