(Windows) Unlock Fails after Expired Certificate

Two methods can be used to diagnose whether or not a Windows unlock attempt via HYPR Passwordless client has failed due to an expired certificate.

Obtain the KSP Logs

1. Open regedit on the affected workstation.

2. Navigate to HYPR registry record:

   Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{C822931E-86C5-4482-85C1-049523A13A09}.

3. Create a new registry Key (String/Value) called HyprKspLogFile and provide a path to the file, e.g., C:\Program Files\HYPR\Log\HyprKsp.log.

   

4. Restart the HYPR Windows service or reboot to enable the changes.

5. The log file will show the total time for certificate revocation checks and account checks (disabled/deleted). Search for revocation and you'll find where it's doing the checks.

   • Look for KSPCertUtils_IsCertificateExpired, indicating the certificate has expired

   • If it’s there with a recent timestamp, the affected user(s) will need to re-enroll

Unlock Failed Due to Expired Cert

1. Run the following command substituting the path value to the KSP log file, as shown in Step 2, above:

   certutil -v -template **<value in the Certificate Template in Regedit>**
   
   
   

2. In the results, look for the following and determine the certificate's expiration:

   diagnosePwcUnlockFailureDueToExpiredCertWindows_1.png

3. To look for additional certificates, run the following command and look for any certificates that start with HYPR:

   certutil -v -template

4. Call the above code.

   certutil -v -template <HYPR Cert from calling certutil -v -template>