Diagnose Workforce Access Client Unlock Failure Due to an Expired Certificate on Windows


Product: Workforce Access Client (Windows)

Applicable Version(s): All

Two methods can be used to diagnose whether or not a Windows unlock attempt via HYPR Workforce Access Client has failed due to an expired certificate.

Obtain the KSP Logs

  1. Open regedit on the affected workstation.

  2. Navigate to HYPR registry record Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{C822931E-86C5-4482-85C1-049523A13A09}.

    Create a new registry Key (String/Value) called HyprKspLogFile and provide a path to the file, e.g., C:\Program Files\HYPR\Log\HyprKsp.log.

  3. Restart the HYPR Windows service or reboot to enable the changes.

  4. The log file will show the total time for certificate revocation checks and account checks (disabled/deleted). Search for revocation and you'll find where it's doing the checks.

    • Look for KSPCertUtils_IsCertificateExpired, indicating the certificate has expired

    • If it’s there with a recent timestamp, the affected user(s) will need to re-enroll

Unlock Failed Due to Expired Cert

  1. Run the following command substituting the path value to the KSP log file, as shown in Step 2, above:

    certutil -v -template <value in the Certificate Template in Regedit>
  2. In the results, look for the following and determine the certificate's expiration:

  3. To look for additional certificates, run the following command and look for any certificates that start with HYPR:

    certutil -v -template
  4. Call the above code.

    certutil -v -template <HYPR Cert from calling certutil -v -template>


Version Date Comment
Current Version (v. 4) Apr 15, 2022 12:00 Khedron de León
v. 3 Mar 22, 2022 23:00 John Certo
v. 2 Mar 02, 2022 21:22 Edward Poon
v. 1 Oct 30, 2021 16:21 Edward Poon
Was this article helpful?
0 out of 0 found this helpful