Troubleshoot Smart Card Reader and Portal Extension Issues

An end user might have multiple certificates corresponding to the same account in their user store. This usually happens after a device was replaced or renewed. When that happens, all those certificates may be offered for authentication, which can be confusing.

Tip

Remove older certificates to help avoid this issue

Clean the Local Certificate Store on MacOS

You must use the command line to unpair the smart card. See Apple's Advanced smart card options on Mac article for details.

Clean the Local Certificate Store on Windows

Verify the following procedure with official Microsoft documentation.

1. On the "faulty" machine, sign on with the account experiencing the issue

2. Press the Windows and R keys together, then type certmgr.msc to open the certmgr console

3. Click OK

4. In the Certificate User Store, expand Personal > Certificates

5. Search through the list of certificates and locate the certificates corresponding to the signed-in user

   • There must be at least two certificates to perform this procedure.

6. In the Details, write down each serial number

7. On the same machine, ensure the device is inserted and disconnect every other device from the machine

8. Open a command line and run certutil -SCInfo to determine the serial number of the certificate

Warning

Do not write down or take note of any serial numbers corresponding to the root chain (the issuing and root CAs)

9. In the certmgr console, delete all duplicate certificates that do not match the certificate

10. Remove and reinsert the user's device, then wait few seconds

11. Right-click the Certificates folder

12. Click Refresh

13. Once the console refreshes, there should no longer be any duplicate serial numbers

If the Axiad Portal Extension Icon is Orange

An orange icon indicates that the portal you're connecting to is not safelisted.

Manually Trust the Site (Short-Term Solution)

1. Click the Axiad Portal Extension icon

2. In the dialog box displays, select ALWAYS to trust the URL and never ask again, or select ALLOW to trust the URL once, and ask for verification again next time

3. Refresh the page

4. The icon turns green, and you can now manage devices

Check Your Trusted Sites List

Check which sites are trusted (manually beforehand, or automatically pushed by your organization's IT department) for typos or misconfigurations.

1. Right-click the extension icon

2. Select Extension options

3. Confirm the portal URL is listed under Whitelist

If the Axiad Portal Extension Icon is Red

A red icon indicates that the portal you're connecting to is not safelisted, and you are not allowed to change it to a safelisted site per your organization's policy. The environment is locked down and misconfigured.

Note

If you do not have permissions to modify your HKEY_LOCAL_MACHINE registry, then contact your IT department

Add a Site to Your Trusted Sites List

1. Locate the following entry to verify that the site is not added to the list:

[HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\3rdparty\extensions\pbabkmdefcmabmlmnkmnlcijhcgmmdnc\policy]

; Controls whether or not the user may influence the whitelist.
;
; If true (1), limit the user to only hosts whitelisted ahead of time.
; If false (0), let the user approve or deny access to any host not whitelisted
; ahead of time.
;
"noedit"=dword:00000000

2. Add an entry with the URL to your portal

Example:

[HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\3rdparty\extensions\pbabkmdefcmabmlmnkmnlcijhcgmmdnc\policy\whitelist]

 ; Provides a preseeded whitelist of hosts that the WebPCSC Bridge will trust
 ; automatically.
 ;
 ; Create values of type REG_SZ numbering from 1 to N for as many entries as you
 ; desire.
 ;
 "1"="portal-<stack>.cloud.axiadids.net"

Note

The example above is listed for Google Chrome, but it works the same for Edge Chromium with the path [HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\3rdparty\extensions\pbabkmdefcmabmlmnkmnlcijhcgmmdnc\policy\whitelist]

Should be instead:

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge\3rdparty\extensions\pbabkmdefcmabmlmnkmnlcijhcgmmdnc\policy\whitelist]

Also there is a dedicated Edge extension known with another ID (jji... instead of pba...) which will be:

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge\3rdparty\extensions\jjilfdljambeacgjgnkhjhpiijgjddjl\policy\whitelist]

Sometimes the registry gets corrupted, and the smart card is not detected correctly. It is linked to the smart card information stored in the registry. When it happens, the device cannot be used anymore until it is purged from the entry listed below, even a reboot will not change that. This issue is more frequent with Windows 10 build released prior to build 1809 (released on 2019-03-28). Since build 1809, the occurrence of that problem has been much less frequent.

Refresh the Registry on MacOS

You must use the command line to unpair the smart card. See Apple's Advanced smart card options on Mac article for details.

Refresh the Registry on Windows

Verify the following procedure with official Microsoft documentation.

1. On the faulty machine, log in with an admin account if possible

   • If an admin account is not available, access the user's session and elevate your privileges to an administrator level

2. Unplug the user's device from the machine

3. Press the Windows and R keys together to open a Run window, and type services.msc

4. Click OK

5. On the Service console, right-click the Smart Card service and select Stop

6. Press the Windows and R keys together, then type regedit

7. Click OK

8. On the registry, navigate to the Computer > HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > Calais > Cache folder

9. In the right panel, right-click Cache and select Delete

10. Back in the Services console, right-click the Smart Card service

11. Select Start and wait for the status to change to Running

12. Log off as administrator, or close the Regedit and Services consoles

13. Reinsert the device and sign on