I’ve recently been working on a project involving FIDO2.
While working on this project, I generated several FIDO2 keys on Windows Hello in my laptop (OS: Windows 10 Enterprise 22H2) using a non-admin account. I now have about 40. I’ve been looking for a way to delete them. The only way is apparently running this command from an elevated powershell:
certutil -csp NGC -key
certutil -csp NGC -delkey <name>
The problem with this is that the archive that contains the keys is user-specific, so when I use an elevated Powershell, I don’t see the keys for my non-admin account. I only see them using my non-admin account (from a non-elevated Powershell), but I can’t delete them from that account :).
I've been looking at this github repo which gives a more simplified interface over that same certutil command. The problem is the same.
https://github.com/passwordless/webauthn-fido2-key-remover
I’m not sure how to get around this problem.
Any ideas would be appreciated.
Update 5 Dec 22:
Thanks to the comments, I learnt that there is an API for managing Fido2 keys in Windows, but it's available only for Windows 11, starting from version 22H2. Google Chrome uses this to manage Fido2 keys from the browser dev tools. This wasn't applicable for me though.
If you're on Windows 11 22H2 (the fall release), you can use Chrome 109 (chrome://settings/passkeys) to delete individual passkeys.
The solution I found was to ask for my non-admin account to be added to the Administrators group temporarily, just so I could run
certutil -csp NGC -delkey
from my account with admin privileges.
This allowed me to delete the Fido2 keys. I hope the Fido key management API is made available for Windows 10 too.
Related
I´ve been trying to connect to a HDFS server protected by Kerberos for days.
I alterady have have Kerberos for windows installed here. And it shows me the valid/active ticket.
But as I run 'Klist' on prompt, I see no tickets
If I run Kinit on prompt, it asks for my password and returns 'Authenticated to Kerberos v5' but still does not show me any klist ticket.
If I create a new tickt, using prompt or Kerberos GUI, it comes back showing me an active/valid ticket, but klist still does not.
I am trying to connect to hdfs using KerberosClient, but as I connect, somehow it does not "see" my active ticked (as klist too), so I got a connection denial.
I´ve setup the KRB5_CONFIG and KRB5CCNAME system variables to the folder exposed above.
What am I doing wrong?
Your system has two Kerberos libraries (MIT KfW & Windows SSPI) and two different klist tools:
the Windows klist.exe, which only shows the Windows LSA in-memory ticket cache that will be used by "Windows native" SSPI-based applications;
the MIT Kerberos klist.exe, which shows the file-based $KRB5CCNAME ticket cache that will be used by MIT "gssapi32.dll" GSSAPI-based applications.
(sometimes also the Java JRE klist.exe as well!)
If your HDFS client uses $KRB5CCNAME (e.g. if it uses GSSAPI via gssapi32.dll), then you need to run the MIT KfW klist.exe specifically. Use where.exe kinit to find out where it's located, then run it by full path.
On the other hand, if your HDFS client uses SSPI, then MIT KfW won't help you much – it can access tickets in the "MSLSA:" cache, but as far as I know it cannot put new tickets there. (It is possible to easily make SSPI acquire tickets for non-AD Kerberos services, but that's a different topic.)
I have completed testing of a freeipa instance in a lab. I'd like to export all of the SudoCommands that I have defined in the lab to the servers I intend to press into production.
I did an LDAP search to see if I could find an OU that had all of the commands & descriptions I configured in lab (5 pages worth), but found nothing. I performed an pa-server-backup and sifted through that filesystem. The only reference I found to sudo was a couple of berkley databases for host groups and external commands, none of which had any entries.
Is anyone aware of where in the freeipa application the individual sudocommands are stored & how to access them? The CommandGroups & HostGroups I made are easy enough to regenerate from hand.
I found there was another CN on top of cn=sudo,$SUFFIX:
cn=sudocmds,cn=sudo,$SUFFIX
I need the certificate from my smart card to be in the Windows service local sotre. I opened the store with mmc -> snap-in -> certificates.
I used different little tools to see informations(ATR etc.) about my smartcard and they all worked out.
I can see a lot of certificates there, but the one from my smartcard is missing in the store. The folder 'Smartcard trusted Roots' is empty. Windows gets the .cer/.pfx-data from smart cards automatically, right?
Or is there no chance, i can do it without using low-level programming(APDU-commands etc.)
First read this:
http://technet.microsoft.com/en-us/library/ff404288(v=WS.10).aspx
As it's written
A logged-on user inserts a smart card.
CertPropSvc is notified that a smart card was inserted.
CertPropSvc reads all certificates from all inserted smart cards. The certificates are written to the user's personal certificate store
So yes, gnerally certificates should pop up in User Personal Certificate Store automatically.
First thing to check is that you have CertPropSvc service runnig.
Another thing that I saw that some smart cards drivers doesn't work with Windows API. One example I know was old RSA tokens. We have changed them to Gemalto .NET cards and USB readers because of this
Note: In the artcle I linked it's written that this is valid for Windows 7 and 2008 but it worked for me on XP and Vista.
what I'm trying to achieve is to log from linux to a windows machine which is already being used by one user who should not be logged off and the system should be working with both the users simultaneaously .I'm using krdc to connect to windows machine from linux,which logs off the user when other user logs in.Is there any other way to achieve my intension.
Thanks and Regards
You need to have the real Terminal Services installed. Usually the windows (Home,Professional, etc) can be enabled to have Terminal services but only for a 1 single session. If you install Terminal Services you will need to pay the license for users.
To allow multiple connection you should use VNC/teamviewer (is the most simple way to achieve what you want).
I am getting given error when I use powershell commandlets to connect azure app -
Get-HostedService : Could not establish secure channel for SSL/TLS with authority ‘management.core.windows.net’.
here is the links I follow -
http://msdn.microsoft.com/en-us/gg271300
http://wappowershell.codeplex.com/documentation
Based on my experience there could be two problems:
The certificate you are using is not able to create a secure SSL tunnel between your computer and Windows Azure Management Portal and you get error
I have seen OS specific problems related to SSPI and SCHANEL in which the SSL tunnel could not be created.
I also think the first links you have has old info and does not help in most cases. Lets try to solve problem first which is very easy. I am writing below understanding you have Powershell Cmdlets installed in your machine:
First download the publishconfig file from your Windows Azure portal as decribed here.
Now open your Windows Powershell for Windows Azure CmdLets (In Admin Mode)
After that enter these Powershell Commands directly:
PS > Import-Subscription <include your _filename_.publishsettings here>
PS > Select-Subscription <Enter The _name_of_your_subscription which will be listed after you run above command (Note - **SubscriptionName** is needed here>
PS > Get-HostedService <This should list all of services in your subscription>
Now you can manage the subscription from Powershell Cmdlets.
If you still have problems please let me know and I will provide info on 2).
Can you please file a bug for this here: http://github.com/WindowsAzure/azure-sdk-tools
The error message back from PowerShell should be friendlier in this case.
Also, you can now use Add-AzureAccount to obtain credentials rather than having to download and import a publishsettings file