Error Connecting To Smart Card
  • 04 Aug 2023
  • 2 Minutes to read
  • Contributors
  • Dark
    Light

Error Connecting To Smart Card

  • Dark
    Light

Article summary

If you are enrolling a smart card and get through the PIN setup only to be presented with this error
error connecting.jpg

you might have a configuration issue or an expired certificate somewhere. This article will walk through checking the most frequently seen causes and how to fix them.

MFA Service Account

In the initial setup of your smart card environment, you should have had a Service Account created for MFA that is running IIS and setup in the Admin Portal. You may also need to check if anything like a password expiration or lockout has happened to the service account.
 

IIS Server
The service account should be running the appPool40 in IIS.

  1. Log in to your IIS server. On the left-hand side, expand your server and click "Application Pools".
  2. You should notice a service account running the app pool running the MFA apps. Right-click the app pool/user and select "Advanced Settings".
  3. Scroll down to the Process Model section. Verify that Identity is your service account with Load User Profile = True. Click "OK" when you've finished verifying or setting this up.
    iis pool - advSettings.png

 
Admin Portal
The same service account needs to be loaded into the Admin Portal, a step that can be forgotten or it's somehow been removed.

  1. In your MFA Admin Portal, go the Methods tab.
  2. On the left-hand side, click on Active Directory.
  3. In the center pane, you should see your service account in place.
    sa_in_portal.png

If it's blank, click "Edit" to fill in the SA credentials and click "Save" when you are done.


Certificate Authority

If your CA's certificate is expired, enrollments will not work. These steps can be used to renew your CA cert if it is expired or nearing its end. If you notice your smart card enrollments/re-enrollments are not being set to their proper window of time, it's because card expirations cannot go past that of the CA cert.

i.e. If your CA cert is expiring in 1 year but your card template is designed for 2 years, a re-enrollment will only be set for 1 year, reflecting the exact date the CA cert will expire instead of 2 years time from the date of enrollment.
 

CA Certificate Renewal

  1. Open up your Certificate Authority.
  2. Right-click on your servername-CA > Properties > View Certificate. This will show you the expiration date. You can click out of it when done.

1. view ca cert.png

2. view ca cert expiration.png

  1. Right-click your CA name again > All Tasks > Renew CA Certificate...
    3. renew.png

Click "Yes".
4. confirm service stop.png

  1. When it asks if you would like to create a new key pair, select "No" and click "OK".
    5. no - old key pair.png

  2. Once it's complete, you can re-follow Steps 1-2 to view your new certificate and see that there's a new certificate with a new expiration date. When you renew, there will always be a new certificate. A root CA certificate cannot be renewed once expired. We can only generate a new CA certificate, but when created using the existing key pair, it can be used to sign existing server certificates from there on out.

6. view new ca cert.png

7. view new expiration.png


Was this article helpful?