Product: Workforce Access Client (Windows)
Applicable Version(s): All
Two methods can be used to diagnose whether or not a Windows unlock attempt via HYPR Workforce Access Client has failed due to an expired certificate.
Obtain the KSP Logs
-
Open regedit on the affected workstation.
-
Navigate to HYPR registry record
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{C822931E-86C5-4482-85C1-049523A13A09}.Create a new registry Key (String/Value) called
HyprKspLogFileand provide a path to the file, e.g.,C:\Program Files\HYPR\Log\HyprKsp.log.
-
Restart the HYPR Windows service or reboot to enable the changes.
-
The log file will show the total time for certificate revocation checks and account checks (disabled/deleted). Search for revocation and you'll find where it's doing the checks.
-
Look for
KSPCertUtils_IsCertificateExpired, indicating the certificate has expired -
If it’s there with a recent timestamp, the affected user(s) will need to re-enroll
-
Unlock Failed Due to Expired Cert
-
Run the following command substituting the path value to the KSP log file, as shown in Step 2, above:
certutil -v -template <value in the Certificate Template in Regedit>
-
In the results, look for the following and determine the certificate's expiration:
-
To look for additional certificates, run the following command and look for any certificates that start with HYPR:
certutil -v -template
-
Call the above code.
certutil -v -template <HYPR Cert from calling certutil -v -template>
| Version | Date | Comment |
| Current Version (v. 4) | Apr 15, 2022 12:00 | Khedron de León |
| v. 3 | Mar 22, 2022 23:00 | John Certo |
| v. 2 | Mar 02, 2022 21:22 | Edward Poon |
| v. 1 | Oct 30, 2021 16:21 | Edward Poon |