3.12 PKI

The PKI method enables you to authenticate using any one of the following ways:

PKI Device

PKI device is a hardware device, such as a contact card and USB token that contains the digital certificate. The PKI reader validates the digital certificate and the identity of users. When you try to authenticate on any device, the certificate in the device is compared with the actual certificate. If the certificates are identical, you are authenticated successfully.

NOTE:You must install the Advanced Authentication Device Service for enrolling the PKI method using PKI device.

Virtual Smartcard

You can also enroll and authenticate the PKI method using a virtual smartcard. Virtual smartcard supports authentication to any web environment and makes use of client SSL certificate to authenticate users. In client certificate authentication, the client browser provides its client certificate to the server to confirm the identity of a user.

A client SSL certificate is a file that contains information, such as digital signature, expiration date, name of user, and name of CA (Certificate Authority). When you try to authenticate on the web environment, authenticity of the client SSL certificate is validated based on the settings that are configured by the administrator.

3.12.1 Enrolling the PKI Authenticator Using PKI Device

  1. Click the PKI icon in Add Authenticator.

  2. (Optional) Specify a comment in the Comment.

  3. (Optional) Select the preferred category from the Category.

    A message Waiting for the card is displayed.

  4. Click Save.

  5. Insert the card in reader or connect the token to the machine.

    A message Use an existing certificate or generate a key pair is displayed.

  6. Select a key from Key.

    If you have connected the token or card reader, the certificate type and expiry date of certificate is populated in Key automatically.

  7. Specify PIN code of the device.

  8. Click Save.

    A message Authenticator "PKI" has been added is displayed.

3.12.2 Enrolling the PKI Authenticator Using Virtual Smartcard

  1. Try to access the third party website from the browser where your administrator has imported a valid SSL certificate.

    The Certificate dialog box is displayed.

  2. Select the preferred client SSL certificate that is issued by the administrator.

    You get auto-enrolled to PKI method using virtual smartcard.

NOTE:An administrator has the privilege to disable auto-enrollment of the PKI method using virtual smartcard.

3.12.3 Testing the PKI Authenticator

  1. Click the PKI icon in Enrolled methods.

  2. Click Test.

    A message Waiting for card... is displayed.

  3. Insert your card or connect your token to the machine, if you are using a PKI device.

    If you are using a virtual smartcard, the client SSL certificate is detected automatically.

  4. Specify the PIN of the PKI device in PIN.

    If the test is successful, a message Authenticator "PKI" passed the test is displayed. If the card is invalid, a message Wrong card is displayed. If the specified PIN is invalid, a message Incorrect PIN is displayed.

The following table describes the possible error message along with the workarounds for the PKI authentication.

Table 3-6 PKI authenticator - error messages


Possible Cause and Workaround

Card reader connected

When a card is not inserted to the reader or the token is not connected to the machine. Insert the card to the reader or connect token to the machine.

Enroll failed: Cannot check revocation status for …

When the certificate on your device does not contain information about the revocation status location or if the information is inserted, but the Certificate Authority is not available to verify the revocation status.

PKI service is not available

The Advanced Authentication Device Service is not installed on the system. Install the Device Service and try authenticating again.

Key not found. Wrong Card?

You have enrolled the PKI authenticator in the RDP session. Enroll the authenticator again in normal session.

PIN is expired

The PIN assigned to your token has expired. Contact your administrator for the new PIN.

PIN is locked

After certain number of attempts with the incorrect PIN, the PIN is locked. Contact your administrator to reset the PIN.

Token is not present

Token is not connected to the system. Connect the token and try authenticating again.

Token is not recognized

The Device Service is unable to detect the DLL to recognize the token.

Unexpected service status: PLUGIN_NOT_INITTED

A vendor module is absent, invalid or not specified. Contact your administrator to check the configuration.

The following table describes the unexpected error codes that are displayed from a PKCS#11 module.

Table 3-7 : Unexpected Error codes

Error Code



The token or USB slot is broken. Try to use a different USB slot.


There is no space available in the memory of token or there may be some other issue with the memory.


An invalid mechanism was specified to the cryptographic operation.


Ensure that the card has been initialized or do not use the default PIN and the PIN has expired.


The user PIN is locked.


The token has not been recognized.


Contact your system administrator to analyze the debug logs.