Learn the common issues on smart card authentication and their corresponding solutions.
Below are the common problems in FDE smart card authentication:
When using FDE smart card authentication with a registered user, you are rebooted back to the FDE authentication screen or you receive an error that there is no smart card registered for the user.
Here are the possible causes of the issue:
- You have a Personal Challenge policy with a null policy value.
- A PolicyServer administrator or authenticator is created without assigning them a password.
As a workaround, do the following while determining the root cause of the issue:
- On the pre-boot authentication screen, select Fixed Password from Authentication menu.
- Enter your PolicyServer User Name and PIN to access the smart card.
After applying the immediate workaround, do the following to identify the cause of your issue and execute the corresponding procedure.
Check for a Personal Challenge with a null policy value
- Log into the PolicyServer MMC.
- Access the policy group where the device is located.
- View the policy Full Disk Encryption > PC > Login > SelfHelp > PersonalChallenge > PersonalChallege.
If you do not have the second PersonalChallenge policy, it means that this is not the cause of your issue.
If you have a PersonalChallenge policy that is null, which means it has no question entered, delete the policy or enter a value.
- Sync the device with the PolicyServer and attempt to authenticate with the smart card.
Check for an administrator with no password
Follow any of the following options to verify this cause:
Option 1. Run the query below on your SQL Servers to view any User Name with no password in your database.
select userid from mobilearmoruser where usertype <> 0 and (adminpassword is null or adminpassword = ' ' )
select userid from mobilearmoruser u inner join usersgroups ug on u.userindex = ug.userindex where (u.usertype <> 0 or ug.usertype <> 0) and (adminpassword is null or adminpassword = ' ')
Option 2. Use the Recovery console.
- Log into the device as a PolicyServer administrator.
- Select the Access Recovery Console button, which is visible for five seconds after logging into FDE as an administrator.
- Select Users from the menu on the left.
- On the Users screen, click the user names displayed. A user without a password has the password field displayed in yellow.
- Access the MMC and locate the user. This could be an Enterprise Administrator/Authenticator or a Group Administrator/Authenticator.
- Do any of the following:
- Remove the user.
- Right-click the user and select Change Administrator Password.
- Sync the device with the PolicyServer to apply the changes.
- Authenticate with the smart card again.
You receive "Password expiration notice" when logging in with your smart card. This happens when the policy ChangePasswordEvery has been applied to the smart card user.
The policy for password expiration should not affect a smart card user, however, it is recommended to set this policy to the maximum value.
If the expiration period is reached, the user will be prompted to register the smart card using the same smart card and PIN. Otherwise, an administrator can log on to the device and access the Recovery Console to extend the user password expiration.
To prevent this from happening again, the policy ChangePasswordEvery should not be applied to the users when configuring a policy group. You can set this to the maximum allowed value of 5000.
To resolve the issue:
- Confirm the last communication to PolicyServer using Cisco VPN Client (IPSec) or internal IP address. If none of the above requirements is met, the device may be locked because it fails to communicate with the PolicyServer within the specified period of time.
- Check the PIN properties.
- Check the username on PolicyServer. Remember that this is case-sensitive.
- Check the device group membership.
- Vefiry proper insertion of the smart card.
- Confirm the Device ID and initiate a Remote Help.
This is a designed functionality of FDE. When authenticating to FDE as an administrator, the administrator policies are sent down to the machine. Therefore, if the next authentication is in a disconnected state, the policies remain as those of the admin.
It is recommended that the Enterprise PolicyPhysicalToken Required is set to "Yes". Alternatively, the administrator authenticating to the device should use a smart card instead of a fixed password.