Background

The HYPR Workforce Access client utilizes a Windows credential provider to perform X.509 certificate-based client authentication to log the user in to the Windows desktop without a password. Microsoft documentation refers to this as “smart card logon,” because this type of authentication is typically associated with physical cards such as CAC and PIV cards used by the federal government. In the case of HYPR Workforce Access, we have a virtual smart card.

Microsoft Certificate Services must be properly configured to ensure Workforce Access can function properly.

Issue Description

If a client experiences a situation where the HYPR Mobile App is spinning and/or timing out during a desktop authentication, it could be a misconfiguration of the Microsoft Certificate Services. Use the Windows Event Viewer (to launch the Event Viewer, just hit Start, type “Event Viewer” into the search box, and then click the result) on the client desktop to look for the following conditions:

  • Go to Windows Logs > Security and look for error The request is Not Supported and status Reported authentication failure. Status=0xC00000BB

  • The following error may be seen in Kerberos event logs on the Workstation when attempting to launch:

    0x10 - KDC_ERR_PADATA_TYPE_NOSUPP: KDC has no support for padata type
    Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted.

Known Error Codes: Status=0xC00000BB or 0x10 - KDC_ERR_PADATA_TYPE_NOSUPP

Steps to Reproduce

Undo the Resolution steps below and try to log on to the desktop with WFA.

Resolution

The following conditions must be met:

  • The Domain Controller certificate must be configured for smart card users; this is a setting in the Domain Controller Authentication certificate template

  • The Domain Controller Authentication certificate must exist on all the domain controllers; if not, you must enroll a new certificate

Verify the Smart Card Is Configured into the Domain Controller Authentication certificate Template

  1. On the domain controller, open mmc and add a new snap-in for the Certificate Templates.

  2. Select Certificate Template.

  3. Double-click Domain Controller Authentication to open the configuration panel.

  4. Select the Extensions tab.

  5. Note whether Description of Application Policies contains Smart Card Logon. If not, click Edit…, then click Add….

  6. Select Smart Card Logon, then click OK.

  7. Click OK to close the Edit dialog.

  8. Click OK to finish.

To Enroll a New Certificate on the Domain Controller

  1. On the domain controller, open mmc:

  2. Open File > Add/Remove Snap-in…:

  3. Select Certificates.

  4. Click Add, then select Computer account.

  5. Complete the wizard.
  6. Click OK to finish adding the snap-in.

  7. Expand Certificates (Local Computer).
  8. Right-click Personal, then expand All Tasks > Request New Certificate.

  9. Click Next, then Active Directory Enrollment Policy.
  10. Select Domain Controller Authentication and click Enroll.

  11. Click Finish.

 

Version Date Comment
Current Version (v. 4) May 11, 2022 15:21 Khedron de León
v. 3 Oct 29, 2021 00:58 Sean Connolly
v. 2 Oct 28, 2021 18:08 Norman Field
v. 1 Oct 28, 2021 01:28 Norman Field
Was this article helpful?
0 out of 1 found this helpful