Nitrokeys -- Nothing works

Recently i purchased Nitrokeys : FIDO2, Pro 2 and HSM keys.
By the way, I am still waiting for receiving the HSM keys (ordered 1 month ago).

I would like to use some of them for 2FA Windows session Logon, and some other usage.
I spent a few days reading hundreds of pages of documentation, typing thousands of commandlines,
installing many “third party software” : nothing works !
Really, as a senior software engineer, i feel completely lost.
I am really a beginer when it comes to use “security usb keys” and PKI infrastructures in general,
so, this probably explains that, but i feel the documentation is too messy and lacks important notes
in order to really be able to take advantage of this hardware quickly and flawlessly.

Now all i am dreaming for is : is it possible to benefit from a training or at least exchange a call with
someone with a solid technical background in this field ?
As i encountered difficulties getting started with Nitrokeys, I could explain which steps were difficult
for me and it would benefit other end users, well, most probably.
Kind regards,
Nicolas Lemmer

Hello Nicolas,

  1. Please ask us over support@nitrokey.com about your order (with the order/invoice id).
  2. Sorry to hear documentation was confusing. We are working on making it clear and straightforward, so that setup would not require support forum or email queries, and will be happy to hear feedback from the “fresh” users. Can you list:
    • what have you tried already?
    • what guides/materials have you used?
  3. Before considering training / direct call, can we discuss here first the trouble you had? Perhaps listing them would allow us to help you quicker and correct the guides. Feel free to make multiple threads on the forum (each topic separately that is) - we have many experienced users here which could help faster knowing the symptoms from their own work.

Best regards,
Szczepan

Hello Dear Szczepan,
When i bought the FIDO2 and Pro2 keys, my goal was to use them for 2FA Windows session Logon.
Later on, i understood that the FIDO2 is not meant for that.
That leaves me with the Pro2, which is supposed to emulate a smart card reader, which Windows system can use in order to achieve 2FA Windows session logon.
Meaning : a user should type in his password and insert the Nitrokey “Pro2” in order to login to a Windows Session. Without one of them : it should be impossible to log in.
I would love that this function works on a standalone Windows 10 Desktop, without any ActiveDirectory involved, but after hours of readings, it seems that it is mandatory to have a Windows Server running with AD and also the “Certificate Authority” service configured, up and running.
So, I installed Windows Server 2016 on a (rather old & rather slow) server, configured the AD and “Certificate Authority” services.
Well, i did it reading the documentation provided by Nitrokey & third party partners.
But after hours of effort, as i mentionned : nothing works !
I fail to upload a certificate to the Nitrokey Pro2, I fail to configure the AD Server to manage my certificate,
the third party software do not reckognize the NitroKey Pro2 on the server side (most of the times, not always) … well it would take me hours to write down everything i tested …

So, here are my questions :

  1. do you confirm that the Nitrokey Pro2 can be used in order to achieve 2FA Windows session Logon ?
  2. is it possible or not to use Nitrokey Pro2 for 2FA Windows session Logon on a standalone Windows 10 Desktop PC (without AD) ?
  3. where can your customers find working / usable/ tested / up to date / documentation, enabling them to
    achieve such a simple goal from scratch without having to spend hundreds of hours ?

Kind regards,
Nicolas Lemmer

Edit : I would still dream to exchange a call with a technical oriented person from Nitrokey : is it possible ?

Hello Nicolas,

Thank you for the elaboration. I am sorry this made so much trouble for you. Please write to our support email asking about calls, and linking this thread.

  1. Indeed FIDO2 turned out to not be available in the Windows 10 standalone login. Initially there were some news about that, but it never happened. I do not see any technical limitations here, and especially while similar solutions for Linux using FIDO2 are already available AFAIK, I guess this is related to OS vendor policy.
  2. Smart card based login (e.g. with Nitrokey Pro) should be possible without AD. See below.

Regarding direct questions:

  1. According to the below this should be possible with a standalone setup, and was confirmed by the person writing the guide. I have not tested this myself.
  2. I did not catch the difference with the first question. Can you elaborate? If you meant AD there, I am not sure smart card can be used with it - I think rather not.
  3. All modern documentation is stored on below link, and is supposed to be current and tested:

Best regards,
Szczepan

Dear Szczepan,
Thank you for your reply.
I already visited Login With EIDAuthenticate on Stand Alone Windows Computers — Nitrokey Documentation and confirm it really did not work for me.
First of all, in order to use EIDAuthenticate : you have to pay.
But before i spend some money, i just checked the documentation page " Test the presence of a minidriver or a CSP" : all i needed to to is : installing OpenSC and software from Nitrokey, and then issue (from a command prompt) :
certutil -scinfo

Problem is : what i get is a “negative test”, the “smartcard reader” emulation software from Nitrokey seems to lack some kind of compatibility because the “Card” line is empty.
So it behaves like a smartcardreader without card.
Here is the webpage : Test the presence of a minidriver or a CSP - My Smart Logon

I asked “MySmartLogon” if i can get a trial version of the “enterprise edition” of EIDAuthenticate,
some weeks ago, but so far i did not get any reply.
Is this company still alive ? I don’t know …

It would be great if your company could offer a standalone system, NitroKeyPro + Nitrokey Drivers + Nitrokey software, it would absolutely change everything !!!

Kind regards,
Nicolas Lemmer

Dear Szczepan,
About the Nitrokey Pro 2 : when I install the OpenPGP-MiniDriver (from SmartLogon), and then i insert my Nitrokey Pro 2, it is not recognized as an “OpenPGP Minidriver for Smartcard”, but as a generic Microsoft “Smartcard Reader Microsoft Usbccid / WUDF”. So i guess the minidriver (from SmartcardLogon) does not work properly on Windows 10 Pro (latest version).
Again : it would be great that your company could provide a “minidriver” for the hardware you are selling.
It would greatly enhance user experience.
If the Nitrokey Pro could appear as a “Smart Card Reader NitroKey Pro” under windows, it would really make sense !! :slight_smile:
Kind regards,
Nicolas

Dear Nicolas,

For Nitrokey Pro you need OpenPGP-CSP minidriver, not the OpenSC one. See below for the binaries:

I see in the second post, that you successfully connected to it. For the operation the name does not matter here (it’s a general OpenPGP driver), and certutil should list the device properly.

I have asked to update the guide regarding the availability of the EIDAuthenticate software, and to check whether the former still current:

According to the https://github.com/vletoux/OpenPGP-CSP page, it seems that it should be possible to configure the log in process without any additional software. I believe you have seen that already though, and was not working for you. Can you confirm?

Please feel free to look into this ticket or supply propositions for corrections (or to any page of the documentation through the Request docs change button at the bottom of the page)

I agree, it would be great indeed! I will push this proposition to improve the Windows 10 login process inside the company, however I can not promise anything at the moment, as we are currently occupied with the Nitrokey 3 development.

Best regards,
Szczepan