Product: Workforce Access Client (Windows)
Applicable Version(s): All
Two methods can be used to diagnose whether or not a Windows unlock attempt via HYPR Workforce Access Client has failed due to an expired certificate.
Obtain the KSP Logs
Open regedit on the affected workstation.
Navigate to HYPR registry record
Create a new registry Key (String/Value) called
HyprKspLogFileand provide a path to the file, e.g.,
Restart the HYPR Windows service or reboot to enable the changes.
The log file will show the total time for certificate revocation checks and account checks (disabled/deleted). Search for revocation and you'll find where it's doing the checks.
KSPCertUtils_IsCertificateExpired, indicating the certificate has expired
If it’s there with a recent timestamp, the affected user(s) will need to re-enroll
Unlock Failed Due to Expired Cert
Run the following command substituting the path value to the KSP log file, as shown in Step 2, above:
certutil -v -template <value in the Certificate Template in Regedit>
In the results, look for the following and determine the certificate's expiration:
To look for additional certificates, run the following command and look for any certificates that start with HYPR:
certutil -v -template
Call the above code.
certutil -v -template <HYPR Cert from calling certutil -v -template>
|Current Version (v. 4)||Apr 15, 2022 12:00||Khedron de León|
|v. 3||Mar 22, 2022 23:00||John Certo|
|v. 2||Mar 02, 2022 21:22||Edward Poon|
|v. 1||Oct 30, 2021 16:21||Edward Poon|