Failed connecting to the YubiKey when launching App -> PIV on Windows 10

[nafetsreuab]

YubiKey Manager (ykman) version: 1.2.3 How was it installed?: Via https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest-win64.exe Operating system and version: Windows 10 PRO, 20H2 YubiKey model and version: Yubikey 5 NFC - Firmware 5.2.7

After launching YubiKey Manager (run as Administrator) and selecting Applications -> PIV i see:

Failed connecting to the YubiKey. Make sure the application has the required permissions.

I would expect to be able to manage Pin/Certs/... like in this screenshot:

https://www.yubico.com/wp-content/uploads/2021/01/YubiKeyManager_PIV_Screenshot.png

I tried several Keys (all 5 NFC). All show the same behavior. I tried also other computers, a virtual machine and a laptop. No change. I tried the latest windows 10 21H2. No change. The related windows services are all running:

SCardSvr ScDeviceEnum

On windows console (started as administrator) the following is logged:

ykman.exe piv info WARNING: PC/SC not available. Smart card protocols will not function. Error: No eligiable connections are available ([<class 'yubikit.core.smartcard.SmartCardConnection'>]).

Linux has no issues with the stick and i can manage PIV related stuff.

Please clarify if this is a known issue or other software is requiried.

[fdennis]

Could you clarify if you have tried on multiple physical computers (not a VM)?

[fdennis]

Furthermore, could you go to "Device Manager" (on a Win computer where you have this issue) and check the contents of "Smart card readers" and "Smart card"? Do you have any items under there? If yes, could you share what items?

[bauerstefan]

Could you clarify if you have tried on multiple physical computers (not a VM)?

Yes. Real (physical) Computers and virtual machines with same result.

[bauerstefan]

[bauerstefan]

[fdennis]

Does "WUDF" under "Smart card readers" disappear when you remove the YubiKey? Generally, when inserting a YubiKey, you should see "WUDF" under "Smart card readers" but you should also have a "Smart cards" entry in Device Manager. Looks like you don't have this entry.

[uc-msft]

I have the same issue on Windows 11. I bought two keys - 5C NFC and 5 NFC. If I insert the 5 NFC then everything appears fine in the device manager (WUDF & the smart card shows up) and the key is detected in Yubikey Manager. Now, if I unplug the 5 NFC and insert the 5C NFC then it will appear briefly in the Yubikey Manager and after that the key disappears & the error message about permissions show up. Note that I am running the app as administrator.

[dainnilsson]

@uc-msft so in your case, is it always the 5C that is problematic? Is that one showing up in the Device Manager (both as a Smart Card Reader, and as a Smart Card)? Are you only having trouble with it when used directly after the 5 NFC, or always?

[uc-msft]

@uc-msft so in your case, is it always the 5C that is problematic? Is that one showing up in the Device Manager (both as a Smart Card Reader, and as a Smart Card)? Are you only having trouble with it when used directly after the 5 NFC, or always?

Yes, it is the 5C that is problematic. 5C does show up briefly and the devices in Device Manager go to the disconnected state after few seconds. (If I use the 'show hidden devices' in Device Manager I can see the entries). I have trouble with the 5C always. On another laptop with Windows 10, I can use both the keys just fine.

[dainnilsson]

@bauerstefan, @uc-msft, I'm not sure what is causing this issue. It doesn't seem like it is related to YubiKey Manager per se, as the problem appears already in the Device Manager. What is clear is that there's a problem with accessing the YubiKey over PC/SC (smart card). I would suggest you both open Support tickets here: https://support.yubico.com/hc/en-us/requests/new and reference this thread for details. Maybe they've seen this issue before and know what to do.

[Vink03]

Hi, I have the same problems as @bauerstefan. I installed YubiKey Minidriver. But when I insert YubiKey 5 NFC (Firmware: 5.4.3) in USB slot I can see only Smart card reader under Device Manager. There is no Smart Card device. I try this on few business computers which are joined to domain (win10 20H2). The same behavior on all of them.

On home computer (also win10 20H2) the same YubiKey works OK. I can see Smart card readers and also Smart Card device under Device Manager.

On all computers Smart Card and Smart Card Device Enumeration Service services are running, when I inset YubiKey in USB slot.

Because of that I am not able to enrolle certificate to YubiKey. I get an error, that Smart Card is read-only.

Any suggestions?

[nafetsreuab]

It seems that microsoft does not really like 3rd-party hardware anymore for its pro/enterprise-customers and is going to rule out all options to work with 3rd-party smartcards.

We skipped our deployment of yubikeys and used the virtual-smarcard-service with the TPM2.0 chip on mainboard. This allows so simply upload and manages certificates in TPM. the virtual smartcard behaves almost like a real one (pin required..)

[Vink03]

Thank you for fast answer. We just buy few YubiKeys for tests. If they are not compatible with microsoft we will have to find other solution also.

Is there anyone who have no problems with like this on domain computers?

[nafetsreuab]

On long term i guess microsoft will block all kind of 3rd party security/authentication devices in favor of MS authenticator app and windows helo. time to move to linux ;)

[Vink03]

So you think there is no solution for this problem with YubiKey right now?

[dainnilsson]

@Vink03 I would suggest that you contact Yubico Support (https://support.yubico.com/hc/en-us/requests/new) as well if you haven't done so already. I know that there are many people using YubiKeys on Windows for many different use cases, and I'd be surprised if that doesn't include domain computers, but it's not something I myself have any experience with or knowledge about.

[Vink03]

I already opened case on Yuico Support, but progress of case is very slow. So I asked also here if someone can help.

[Vink03]

Hi, We prepared new PC (clean installation of Windows 10) and on this PC cert enrolment was successful.

[badiku]

no problem at win10, but same error on Windows Server 2022. OTP and FIDO work, PIV not work. Failed connecting to the YubiKey. Make sure the application has the required permissions.

there's a exclamation ! mark on Device Manager: Microsoft Usbccid Smart Cardreader UMDF2

Smart Card in services.msc not started. it stop soon after I start it .

[matthieu-bt]

Same issue here on Win10. badiku's comment helped me. The Windows service "Smart Card" needs to be started. When you start it, the service "Smart Card Device Enumeration Service" starts as well. (at first I had issues starting the services; I had to remove my Yubikey and close Yubikey Manager for them to start)

[yavko]

I have the same issue on Gnu/Linux, though Idk if I should be running with root permissions or not.

EDIT: its a 5c nfc EDIT: I just needed to start a daemon, i fixed it

[asheroto]

Same issue here

[jdesai61]

I have a Windows 11 Pro machine - same issue - running SmartCard service does not fix it. It is a YubiKEY 5 Nano. Same key works with another Windows 10 computer

[StefanD986]

Everyone who has the problem with exclamation mark and who has the device show up as Microsoft Usbccid Smart Cardreader (UMDF2) (the UMDF2 is important), this might solve the issue for you https://github.com/OpenSC/OpenSC/issues/2541#issuecomment-1285672570

[jdesai61]

My issue turned out to be that I was accessing the machine over Remote Desktop (because the machine is in the basement). Apparently, the SmartCard functionality works differently when machine is accessed using RDP. Another side issue turned out to be that during troubleshooting steps somehow SmartCard service became installed running as "LocalSystem" rather than "LocalService". Once I changed that and connected keyboard/monitor to the machine, I had no other issues.

[lilarcor]

same issue on mac client

[gitbock]

Had the same problem with the app. However, I was successful using the command line: PS C:\Program Files\Yubico\YubiKey Manager> .\ykman.exe piv certificates import 9a mycert.p12

• Windows 11 Pro
• PS run as administrator
• 3 x YubiKey 5 NFC
• Minidriver installed

Just sharing. I know the original issue is about the GUI.

[gaffneyd4]

I have the same issue on Gnu/Linux, though Idk if I should be running with root permissions or not.

EDIT: its a 5c nfc EDIT: I just needed to start a daemon, i fixed it

I believe the daemon referred to here is pcscd.

On Ubuntu 22.04.1 LTS (Jammy Jellyfish) (cat /etc/os-release) I experienced this error as well.

I fixed by doing:

sudo apt install pcscd
sudo systemctl enable pcscd
sudo systemctl start pcscd

Now I can access the piv application on the yubikey through yubikey-manager.

[andjo]

I had the same symptom with the GUI Manager (Applications -> PIV show connection failure, although already running as admin).

In my case it was caused by having loaded bad data in one of the slots using yubico-piv-tool.exe. I could identity the slot with yubico-piv-tool.exe -a status and resolve it with yubico-piv-tool.exe -s 9c -a delete-certificate.

After that the YubiKey Manager started to work as expected.

[mirao]

@gaffneyd4 I have the same issue in Ubuntu 22.10 with YubiKey 5 Nano. Your solution works, thanks.