Error Connecting To Smart Card

If you are enrolling a smart card and get through the PIN setup only to be presented with this error

you might have a configuration issue or an expired certificate somewhere. This article will walk through checking the most frequently seen causes and how to fix them.

MFA Service Account

In the initial setup of your smart card environment, you should have had a Service Account created for MFA that is running IIS and setup in the Admin Portal. You may also need to check if anything like a password expiration or lockout has happened to the service account.
 

IIS Server
The service account should be running the appPool40 in IIS.

1. Log in to your IIS server. On the left-hand side, expand your server and click "Application Pools".
2. You should notice a service account running the app pool running the MFA apps. Right-click the app pool/user and select "Advanced Settings".
3. Scroll down to the Process Model section. Verify that Identity is your service account with Load User Profile = True. Click "OK" when you've finished verifying or setting this up.
   

 
Admin Portal
The same service account needs to be loaded into the Admin Portal, a step that can be forgotten or it's somehow been removed.

1. In your MFA Admin Portal, go the Methods tab.
2. On the left-hand side, click on Active Directory.
3. In the center pane, you should see your service account in place.
   

If it's blank, click "Edit" to fill in the SA credentials and click "Save" when you are done.

Certificate Authority

If your CA's certificate is expired, enrollments will not work. These steps can be used to renew your CA cert if it is expired or nearing its end. If you notice your smart card enrollments/re-enrollments are not being set to their proper window of time, it's because card expirations cannot go past that of the CA cert.

i.e. If your CA cert is expiring in 1 year but your card template is designed for 2 years, a re-enrollment will only be set for 1 year, reflecting the exact date the CA cert will expire instead of 2 years time from the date of enrollment.
 

CA Certificate Renewal

1. Open up your Certificate Authority.
2. Right-click on your servername-CA > Properties > View Certificate. This will show you the expiration date. You can click out of it when done.

3. Right-click your CA name again > All Tasks > Renew CA Certificate...
   

Click "Yes".

4. When it asks if you would like to create a new key pair, select "No" and click "OK".
   

5. Once it's complete, you can re-follow Steps 1-2 to view your new certificate and see that there's a new certificate with a new expiration date. When you renew, there will always be a new certificate. A root CA certificate cannot be renewed once expired. We can only generate a new CA certificate, but when created using the existing key pair, it can be used to sign existing server certificates from there on out.