How To Troubleshoot Passwordless Onboarding with EZCMS

Troubleshooting Smart Card Issues in Your Client Device & OS

The following are some common issues that users may encounter when using smart cards for passwordless authentication in Windows, along with troubleshooting steps to resolve them.

The Smartcard Cannot Perform the Requested Operation

If Windows shows an alert saying The smart card cannot perform the requested operation, this indicates that the drivers needed for Windows to interact with this hardware token are missing or not properly installed. If you are using a YubiKey, go to Yubico’s site and download the minidriver for your operating system.

No Valid Certificates Were Found on This Smart Card

If you are getting an error that says No valid certificates were found on this smart card, it means that the certificate on your hardware token is not valid for authentication. This can be caused by a few different issues:

• Try unplugging the security key and plugging it back in, and rebooting your machine. New security keys or drivers may require a reboot or re-plugging to properly install the necessary drivers and software for the certificate to be recognized.
• The certificate on the smart card may not be properly configured for authentication. Make sure that the certificate has the correct key usage and extended key usage attributes set for client authentication.
• The certificate may not be issued by a trusted certificate authority (CA). Ensure that the CA that issued the certificate is trusted by your operating system and browser. You may need to install the CA’s root certificate in your trusted root certificate store.
• The certificate may be expired or revoked. Check the validity period of the certificate and ensure that it has not been revoked by the issuing CA. If any of these issues are present, you may need to reissue the certificate on your security key.

If you are using ECC keys on Windows, the Windows Smart Card Credential Provider does not enumerate ECC-based certificates by default. You will need to configure Windows to enumerate it either by manually creating the required Registry entries or making the changes via Group Policy Object (GPO). More info here.

1. Open regedit.exe as administrator and browse to HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider
2. Right Click > New DWORD: EnumerateECCCerts = 1
3. Right Click > New DWORD: AllowCertificatesWithNoEKU = 1
4. Reboot your machine and try authenticating again.

Troubleshooting Smart Card Issues in Entra CBA

Smart Card authentication for Entra ID, also known as Entra CBA, can be used with EZCMS to allow users to authenticate to Entra ID using their smart card credentials. However, there are some common issues that users may encounter when using Entra CBA, and the following troubleshooting steps can help resolve them.\

This Site Can’t Be Reached

If you are trying to authenticate to Entra ID using certificate based authentication (Entra CBA) and you are getting This site can’t be reached, this is usually caused when the certificate authentication did not complete due to not touching the hardware key after entering your PIN.

Unlike FIDO2 passkey authentication, when using Smart Cards for Entra CBA you may not see a prompt to touch your hardware key, but you will need to touch it after entering your PIN for the authentication to complete successfully. You may see it flashing slowly after entering the PIN, this is the time to touch it. If you are not touching the hardware key when it is trying to authenticate, after a few seconds it will stop trying and show the “This site can’t be reached” error.

To try logging in again, we recommend closing all browser windows, reopening them, and trying to authenticate again, this time making sure to touch the hardware key after entering your PIN.

Further Troubleshooting Guides

Looking to troubleshoot configuration, administration, or other issues? Check out our other troubleshooting guides here: