Troubleshoot Smart Card Reader and Portal Extension Issues

An end user might have multiple certificates corresponding to the same account in their user store. This usually happens after a device was replaced or renewed. When that happens, all those certificates may be offered for authentication, which can be confusing.

Clean the Local Certificate Store on MacOS

You must use the command line to unpair the smart card. See Apple's Advanced smart card options on Mac article for details.

Clean the Local Certificate Store on Windows

Verify the following procedure with official Microsoft documentation.

1. On the "faulty" machine, sign on with the account experiencing the issue.
2. Press the Windows and R keys together, then type certmgr.msc to open the certmgr console.
   
3. Click OK.
   The Certificate User Store opens.
4. Expand Personal > Certificates.
5. Search through the list of certificates and locate the certificates corresponding to the signed-in user.
   There must be at least two certificates to perform this procedure.
   
6. Details, and write down each serial number.
   
7. On the same machine, ensure the device is inserted.
8. Disconnect every other device from the machine.
9. Open a command line and run certutil -SCInfo to determine the serial number of the certificate.
   WARNING

   Do not write down or take note of any serial numbers corresponding to the root chain (the issuing and root CAs). 
10. In the certmgr console, delete all duplicate certificates that do not match the certificate.
    
11. Remove and reinsert the user's device, then wait few seconds.
12. Right-click the Certificates folder.
13. Click Refresh.
    The console refreshes and there should no longer be any duplicate serial numbers.

If the Axiad Portal Extension Icon is Orange

An orange icon indicates that the portal you're connecting to is not safelisted.

Manually Trust the Site (Short-Term Solution)

1. Click the Axiad Portal Extension icon.
   A dialog box displays.
2. Select ALWAYS to trust the URL and never ask again, or select ALLOW to trust the URL once, and ask for verification again next time.
3. Refresh the page.
   The icon turns green, and you can now manage devices.

Check Your Trusted Sites List

Check which sites are trusted (manually beforehand, or automatically pushed by your organization's IT department) for typos or misconfigurations.

1. Right-click the extension icon.
2. Select Extension options.
3. Confirm the portal URL is listed under Whitelist.

If the Axiad Portal Extension Icon is Red

A red icon indicates that the portal you're connecting to is not safelisted, and you are not allowed to change it to a safelisted site per your organization's policy. The environment is locked down and misconfigured.

Add a Site to Your Trusted Sites List

1. Locate the following entry to verify that the site is not added to the list:

   [HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\3rdparty\extensions\pbabkmdefcmabmlmnkmnlcijhcgmmdnc\policy]
   
   ; Controls whether or not the user may influence the whitelist.
   ;
   ; If true (1), limit the user to only hosts whitelisted ahead of time.
   ; If false (0), let the user approve or deny access to any host not whitelisted
   ; ahead of time.
   ;
   "noedit"=dword:00000000

2. Add an entry with the URL to your portal.
   Example:

   [HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\3rdparty\extensions\pbabkmdefcmabmlmnkmnlcijhcgmmdnc\policy\whitelist]
   		
    ; Provides a preseeded whitelist of hosts that the WebPCSC Bridge will trust
    ; automatically.
    ;
    ; Create values of type REG_SZ numbering from 1 to N for as many entries as you
    ; desire.
    ;
    "1"="portal-<stack>.cloud.axiadids.net"
   	

   NOTE

   The example above is listed for Google Chrome, but it works the same for Edge Chromium with the path [HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\3rdparty\extensions\pbabkmdefcmabmlmnkmnlcijhcgmmdnc\policy\whitelist].

Sometimes the registry gets corrupted, and the smart card is not detected correctly. It is linked to the smart card information stored in the registry. When it happens, the device cannot be used anymore until it is purged from the entry listed below, even a reboot will not change that. This issue is more frequent with Windows 10 build released prior to build 1809 (released on 2019-03-28). Since build 1809, the occurrence of that problem has been much less frequent.

Refresh the Registry on MacOS

You must use the command line to unpair the smart card. See Apple's Advanced smart card options on Mac article for details.

Refresh the Registry on Windows

Verify the following procedure with official Microsoft documentation.

1. On the faulty machine, log in with an admin account if possible.
   If an admin account is not available, access the user's session and elevate your privileges to an administrator level.
2. Unplug the user's device from the machine.
3. Press the Windows and R keys together to open a Run window, and type services.msc.
   
4. Click OK.
   The Service console opens.
5. Right-click the Smart Card service and select Stop.
   
6. Press the Windows and R keys together, then type regedit.
   
7. Click OK.
   The registry opens.
8. Navigate to the Computer > HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > Calais > Cache folder.
9. In the right panel, right-click Cache and select Delete.
   
10. Back in the Services console, right-click the Smart Card service. 
11. Select Start and wait for the status to change to Running.
    
12. Log off as administrator, or close the Regedit and Services consoles. 
13. Reinsert the device and sign on.